CCNA NAT Questions

65 questions · NAT topic · All types, answers revealed

1
MCQhard

Refer to the exhibit. A network administrator configures NAT overload on R1 to allow internal hosts in the 10.1.1.0/24 subnet to access the Internet. After the configuration, the administrator runs the show ip nat translations verbose command and notices that several internal sessions all appear to use the same inside global port 1024. The administrator is concerned that port conflicts will occur. Based on the output, which statement is correct?

A.The NAT configuration is missing the overload keyword, causing all internal hosts to share a single source port.
B.The static NAT entry mapping 203.0.113.5 to the entire 10.1.1.0/24 subnet forces all subordinate translations to use the same port 1024.
C.The dynamic NAT pool is exhausted, forcing the router to reuse port 1024 for all new sessions.
D.The translations are extended entries, so the combination of inside global IP, outside global IP, and port ensures each session is unique, even though the inside global port is the same.
AnswerD

Each table entry carries the 'extended' flag, which means the translation includes the destination address and port. This allows the same inside global port 1024 to be used simultaneously for different destinations (198.51.100.10:53, 203.0.113.100:443, 203.0.113.200:22). The five‑tuple still uniquely identifies the session, so port conflicts do not occur.

Why this answer

The exhibit shows four dynamic NAT translations, each marked with the 'extended' flag. In extended PAT, the translation table includes the destination IP address and port (the Outside global field). Even though all entries share the same inside global port 1024, each translation has a different Outside global pair (198.51.100.10:53 for UDP, 203.0.113.100:443 and 203.0.113.200:22 for TCP).

Therefore, the five‑tuple (protocol, inside global IP, inside global port, outside global IP, outside global port) remains unique for each session, and no port conflict exists. The 'extended' flag explicitly confirms that the router is using this extended matching logic to allow port reuse.

Exam trap

Option A is the most common trap because candidates often associate a single global port with a missing overload keyword. However, the presence of the 'extended' flag and the different outside destinations in the exhibit demonstrate that PAT overload is active and correctly implemented.

Why the other options are wrong

A

Candidates think that seeing the same global port means overload is not operating, but port reuse is normal in extended PAT.

B

Candidates may misinterpret the summary line as a static identity NAT rule that locks all translations to a single port.

C

Candidates confuse pool exhaustion (no free global addresses) with port reuse. Exhaustion typically manifests as translation failures, not as many entries sharing the same port.

2
Multi-Selectmedium

Which three of the following are functions of Network Address Translation (NAT) overload (PAT)? (Choose three.)

Select 3 answers
.It translates multiple private IP addresses to a single public IP address.
.It uses unique source port numbers to differentiate between internal sessions.
.It requires a pool of public IP addresses equal to the number of internal hosts.
.It can be configured with the 'ip nat inside source list' command referencing a standard ACL.
.It provides inbound-initiated connections to internal servers without static entries.
.It performs a one-to-one mapping between inside local and inside global addresses.

Why this answer

PAT (Port Address Translation), also known as NAT overload, allows multiple internal hosts to share a single public IP address by translating each session's source port to a unique port number. This enables the router to differentiate between concurrent sessions from different internal hosts, even though they all appear to originate from the same public IP. The correct options highlight the core functions: translating many private IPs to one public IP and using unique source port numbers for session differentiation.

Exam trap

Cisco often tests the misconception that PAT requires a pool of public IPs equal to the number of internal hosts, when in fact PAT's defining feature is the ability to map many internal hosts to a single public IP using port multiplexing.

3
PBQhard

You are connected to R1 in a small office network. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 LAN can access the Internet via the public IP 203.0.113.1 (the IP assigned to interface G0/0). Also configure a static NAT for the internal web server at 192.168.1.10 to the public IP 203.0.113.6. The current configuration has errors: the inside/outside interface assignments are swapped, the ACL for PAT does not match the inside subnet, and the PAT rule points to the wrong ACL. Fix all issues so that both PAT and static NAT work correctly.

Network Topology
G0/0203.0.113.1/29G0/1192.168.1.0/24ISPInternetR1SwitchLAN

Hints

  • Check which interface is public and which is private — they are reversed.
  • The ACL used in the PAT command must match the inside subnet exactly.
  • The PAT command should reference the correct outside interface and the correct ACL.
A.Configure G0/0 as outside, G0/1 as inside; modify ACL 1 to permit 192.168.1.0 0.0.0.255; apply ip nat inside source list 1 interface G0/0 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
B.Configure G0/0 as inside, G0/1 as outside; modify ACL 1 to permit 192.168.1.0 0.0.0.255; apply ip nat inside source list 1 interface G0/1 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
C.Configure G0/0 as outside, G0/1 as inside; modify ACL 1 to permit 192.168.2.0 0.0.0.255; apply ip nat inside source list 1 interface G0/0 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
D.Configure G0/0 as outside, G0/1 as inside; modify ACL 1 to permit 192.168.1.0 0.0.0.255; apply ip nat inside source list 2 interface G0/0 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
AnswerA
solution
! R1
interface GigabitEthernet0/0
no ip nat inside
ip nat outside
exit
interface GigabitEthernet0/1
no ip nat outside
ip nat inside
exit
no access-list 1
access-list 1 permit 192.168.1.0 0.0.0.255
no ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source list 1 interface GigabitEthernet0/0 overload
no ip nat inside source list 2 interface GigabitEthernet0/0 overload

Why this answer

The main issues: (1) Interfaces were swapped — G0/0 (public) was inside and G0/1 (private) was outside. They should be reversed: G0/0 outside, G0/1 inside. (2) ACL 1 (used in the PAT command) permitted 192.168.2.0/24 instead of 192.168.1.0/24. (3) The PAT command for G0/0 used ACL 2, which was correct for the subnet but the interface was wrong. After fixing interface assignments and correcting ACL 1 to permit the inside subnet, the PAT command must use ACL 1 and the correct outside interface.

The static NAT was correctly configured but needed the correct inside interface. The PAT translation uses the IP address of the outside interface (interface overload), so after fixing the configuration, inside hosts will be translated to 203.0.113.1, the primary IP of G0/0, not 203.0.113.5.

Exam trap

Common traps include confusing inside/outside interface roles, mismatching ACL subnets, and referencing the wrong ACL number in the PAT command. Always verify interface assignments, ACL content, and command syntax step by step.

Why the other options are wrong

B

The specific factual error: The inside/outside interface roles are reversed; PAT is applied to the wrong interface.

C

The specific factual error: The ACL does not match the inside network, so PAT will not be applied to LAN traffic.

D

The specific factual error: The PAT command uses the wrong ACL number; it should use ACL 1, not ACL 2.

4
MCQhard

A network administrator has configured dynamic NAT on a Cisco router to allow internal hosts to access the Internet. Internal hosts can ping external servers, but external hosts cannot initiate connections to any internal host. The administrator checks the NAT translations. What is the most likely cause of this behavior?

A.The NAT pool is exhausted because it contains only 21 addresses, and more than 21 internal hosts are trying to access the Internet simultaneously.
B.The router is configured for dynamic NAT without overload (PAT), so it assigns one public IP per inside host and does not allow inbound connections without a static mapping.
C.The inside local addresses are not in the same subnet as the inside interface, causing asymmetric routing.
D.The outside global addresses are not routable on the Internet, so external hosts cannot send return traffic.
AnswerB

The absence of protocol/port in the translations indicates one-to-one dynamic NAT without overload. This explains why internal hosts can initiate outbound traffic (they get a public IP) but external hosts cannot reach internal hosts (no return path).

Why this answer

Option B is correct because dynamic NAT without overload maps each inside host to a unique public IP from the pool, but it does not allow external hosts to initiate connections because there is no static mapping or port forwarding to direct inbound traffic. The described behavior—internal hosts reaching the Internet while external hosts cannot initiate connections—is typical of dynamic NAT without PAT. With PAT (overload), many internal hosts share a single public IP and inbound connections would still require explicit port forwarding; without overload, the router simply does not know how to translate incoming requests back to the correct inside host.

Exam trap

Candidates often confuse dynamic NAT with Port Address Translation (PAT). The trap is assuming that any dynamic NAT configuration automatically allows inbound connections, but without overload, external hosts cannot reach internal hosts unless static NAT or port forwarding is configured.

Why the other options are wrong

A

The symptom described is that external hosts cannot initiate connections to internal hosts. Even if the NAT pool were exhausted, internal hosts would still be able to initiate outbound connections (using PAT if configured), and external hosts would still be unable to initiate inbound connections unless static NAT or port forwarding is configured. Pool exhaustion would cause outbound failures, not specifically inbound failures.

C

The inside local addresses (192.168.1.x) are private IPs that are typically configured on the inside interface. The NAT translations show them mapping to public IPs, indicating that the router is correctly performing NAT. Asymmetric routing would cause connectivity issues in both directions, not just inbound, and is not indicated by the given symptoms.

D

The question states that internal hosts can ping external servers, which means return traffic is reaching the internal hosts. If the outside global addresses were not routable, the ping would fail because the external server would not be able to send a reply. Therefore, the addresses must be routable in this scenario.

5
MCQhard

Refer to the exhibit. A network administrator is reviewing the NAT translations on router R1 and notices that the internal host 192.168.1.10 appears in both a static NAT entry (for ports 80 and 443) using global address 203.0.113.10, and a dynamic PAT entry (port 49152) using global address 203.0.113.1. The administrator is concerned this might indicate a misconfiguration. Based on the output, which statement is correct?

A.The translations are functioning correctly; the static entries allow inbound web traffic to the host, while the dynamic PAT entry supports an outbound client connection.
B.The static NAT rule is being overridden by the dynamic PAT rule, causing inbound web traffic to the server to fail.
C.The dynamic PAT entry indicates a duplicate session that will cause asymmetric routing and packet drops.
D.The router is incorrectly performing both static and dynamic NAT for the same inside address, which violates the configured NAT order.
AnswerA

The static mappings for ports 80 and 443 (global 203.0.113.10 → 192.168.1.10) are not overridden because the dynamic PAT entry uses a different global address (203.0.113.1) and a different source port (49152). This separation enables both inbound server traffic and outbound client traffic for the same inside host, which is a valid design.

Why this answer

The output shows static NAT entries mapping TCP ports 80 and 443 from global 203.0.113.10 to inside host 192.168.1.10. Simultaneously, a dynamic PAT entry maps a high ephemeral port 49152 to the same inside host for an outbound connection to 198.51.100.5:80. Because the static entries use a different global IP (203.0.113.10) and different port numbers than the dynamic PAT entry (203.0.113.1:49152), both can coexist correctly — static NAT handles inbound web requests, dynamic PAT handles outbound client traffic.

This is a normal operational state, not a misconfiguration.

Exam trap

Candidates often incorrectly assume that a single inside host cannot have both a static NAT entry and a dynamic PAT entry, leading them to choose option B (that the static rule is overridden). However, these entries serve different traffic directions and port ranges, so they coexist without conflict.

Why the other options are wrong

B

A common misconception is that any dynamic NAT entry for the same inside local address takes precedence or conflicts with static entries. In reality, the more specific static mapping takes priority for matching traffic, and the dynamic entry handles unrelated flows.

C

Candidates may misinterpret the presence of the same inside local IP in two entries as a duplicate session. Asymmetric routing would require inconsistent state in both directions, but here the NAT table correctly tracks distinct flows.

D

Some candidates believe that a single inside address can only participate in one type of NAT at a time. In fact, multiple NAT rules can coexist, and the router will use the most specific match (static port mapping) before falling back to dynamic PAT for unmapped ports.

6
PBQhard

You are connected to R1. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 inside network can reach the Internet through the outside interface GigabitEthernet0/1 using the IP address 203.0.113.1. Additionally, configure static NAT to map internal server 192.168.1.10 to public IP 203.0.113.5. The current configuration has several errors. Identify and correct them.

Hints

  • Check the NAT direction on the interfaces.
  • Is the overload keyword present?
  • Does the ACL match the correct inside subnet?
A.Correct the NAT interface directions: G0/0 as inside, G0/1 as outside. Add 'overload' to the PAT command. Change ACL 100 to permit 192.168.1.0 0.0.0.255.
B.Change the NAT interface directions: G0/0 as outside, G0/1 as inside. Add 'overload' to the PAT command. Change ACL 100 to permit 192.168.1.0 0.0.0.255.
C.Correct the NAT interface directions: G0/0 as inside, G0/1 as outside. Add 'overload' to the PAT command. Keep ACL 100 as is because it already permits the correct subnet.
D.Change the NAT interface directions: G0/0 as outside, G0/1 as inside. Add 'overload' to the PAT command. Change ACL 100 to permit 192.168.1.0 0.0.0.255.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/0
ip nat inside
exit
interface GigabitEthernet0/1
ip nat outside
exit
ip nat inside source list 100 interface GigabitEthernet0/1 overload
no access-list 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
end
write memory

Why this answer

The configuration had three issues: (1) Inside and outside interfaces were swapped — G0/0 (inside) was marked 'ip nat outside' and G0/1 (outside) was 'ip nat inside'. (2) The PAT command was missing the 'overload' keyword. (3) ACL 100 matched the wrong subnet (192.168.2.0 instead of 192.168.1.0). To fix: correct interface NAT directions, add 'overload', and update ACL to permit 192.168.1.0/24.

Exam trap

Watch for three common NAT configuration errors: interface direction misassignment, missing 'overload' keyword for PAT, and incorrect ACL subnet matching. Always verify each component separately.

Why the other options are wrong

B

The specific factual error is that the inside and outside interfaces are swapped; G0/0 is the internal interface and must be 'ip nat inside'.

C

The specific factual error is that the ACL permits the wrong subnet (192.168.2.0 instead of 192.168.1.0).

D

The specific factual error is that both the interface directions are swapped and the ACL is changed, but the interface directions must be correct for NAT to work.

7
Drag & Drophard

Drag and drop the following steps into the correct order to configure PAT (Port Address Translation) on a Cisco IOS-XE router for outbound traffic, including ACL creation, NAT statement, interface marking, and the translation process for an outbound packet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is: enter global configuration mode, mark the inside and outside interfaces with 'ip nat inside' and 'ip nat outside', then create an ACL to match internal traffic, and finally apply the NAT overload statement using the outside interface. This order ensures the NAT process knows which interfaces are designated as inside/outside before matching and translating traffic. Option B follows this standard recommended order.

Exam trap

Many candidates mistakenly think the ACL must be created before marking interfaces, but interface designation should come first to define the NAT domains before defining the traffic to translate.

8
PBQhard

You are connected to R1. The network uses 192.168.1.0/24 for internal hosts and 203.0.113.0/29 for the public IP pool (203.0.113.2 is the outside interface). Configure PAT so that inside hosts can reach the Internet using the pool address 203.0.113.2. Also configure static NAT to map internal server 192.168.1.10 to 203.0.113.3. The initial config has errors; identify and fix them.

Hints

  • Check the ACL used by the PAT command — does it match the inside subnet?
  • The inside hosts are on 192.168.1.0/24, not 10.0.0.0/8.
  • Only the ACL needs correction; the static NAT and interface NAT designations are correct.
A.Change ACL 10 to permit 192.168.1.0 0.0.0.255 and ensure the NAT pool and PAT are correctly configured.
B.Change the NAT pool to use a different public IP address and update the static NAT mapping.
C.Remove the static NAT and use PAT for the server as well.
D.Change the inside interface IP address to match the ACL.
AnswerA
solution
! R1
configure terminal
no access-list 10
access-list 10 permit 192.168.1.0 0.0.0.255
end

Why this answer

The ACL 10 permits 10.0.0.0/8, but inside hosts are on 192.168.1.0/24 — this ACL does not match the inside subnet, so PAT fails. The static NAT is correct. To fix: change ACL 10 to permit 192.168.1.0 0.0.0.255.

Also ensure the PAT references the correct ACL; currently it uses list 10, so after fixing the ACL, PAT will work. No other changes needed.

Exam trap

Candidates often overlook the ACL used in NAT and assume the NAT configuration is complete. Always verify that the ACL matches the inside network exactly. Also, remember that static NAT and PAT can coexist; do not remove static NAT if it is required.

Why the other options are wrong

B

The specific factual error is that the pool address 203.0.113.2 and static mapping to 203.0.113.3 are valid and do not need changing.

C

The specific factual error is that PAT does not allow inbound connections initiated from outside; static NAT is required for that purpose.

D

The specific factual error is that the inside interface IP is part of the 192.168.1.0/24 network and should not be changed; the ACL should be adjusted instead.

9
MCQmedium

A router is configured for NAT overload, but translations never appear when inside users browse the internet. Which issue is most likely?

A.The outside interface is missing the ip nat outside command
B.The ACL used by NAT must deny inside addresses
C.PAT requires DHCP on the inside interface
D.NAT overload works only with OSPF-learned routes
AnswerA

Without inside and outside roles, overload translations will not build correctly.

Why this answer

NAT needs the inside and outside interfaces marked correctly. If those roles are missing or reversed, the router has no context for translating traffic and the NAT table stays empty.

Exam trap

Ensure inside and outside interfaces are correctly set for NAT; misconfigurations here are a common oversight.

Why the other options are wrong

B

The ACL used by NAT should match the inside local addresses that need to be translated, typically using a permit statement. If the ACL denies inside addresses, no traffic will be matched for translation, causing NAT to fail. The correct ACL should permit the inside network.

C

PAT (Port Address Translation) does not require DHCP on any interface. PAT translates multiple private IP addresses to a single public IP using different port numbers, and it works independently of how IP addresses are assigned. DHCP is only needed if the interface needs to obtain an IP address dynamically.

D

NAT overload (PAT) is independent of the routing protocol used. It works with static routes, OSPF, EIGRP, or any other routing protocol. The routing protocol only affects how packets are forwarded, not how NAT translates addresses.

10
MCQhard

Refer to the exhibit. An administrator has configured NAT on router R1 to allow hosts on the 192.168.1.0/24 LAN to access the Internet. However, users report that they cannot reach external websites. The administrator runs the show ip nat translations command. What is the most likely reason for the problem?

A.The access list used for dynamic NAT does not match the LAN subnet.
B.The ip nat outside command is missing from the WAN interface.
C.The ip nat inside source static commands have incorrect IP addresses.
D.The ip nat inside command is missing from the LAN-facing interface.
AnswerD

The output reveals that only static NAT translations are active; no dynamic entries exist. For the router to process packets from the LAN under NAT, the interface connected to the LAN must be configured with ip nat inside. Its absence stops all dynamic address translation, leaving only the manually configured static entries.

Why this answer

The output shows only static NAT entries (protocol column "---") with no dynamic translations. The presence of static entries does not depend on the dynamic NAT configuration. For dynamic NAT (like PAT overloading) to create translations for outbound traffic, the interface that receives packets from the inside hosts must have the ip nat inside command.

Because the LAN-facing interface is missing this command, no packets from 192.168.1.0/24 are evaluated for NAT, resulting in an empty dynamic translation table and connectivity failure.

Exam trap

Candidates often attribute the lack of dynamic translations to a misconfigured access list, but even a perfectly matched ACL cannot trigger NAT if the inside interface is not enabled with ip nat inside. The missing interface command is a more fundamental cause, as no translation can occur on packets entering that interface without it.

Why the other options are wrong

A

Candidates think any absence of dynamic entries is due to ACL mismatch, overlooking the prerequisite that the inside interface must be configured with ip nat inside for NAT to function at all.

B

The presence of static NAT translations in the output indicates that the ip nat outside command is already applied on the WAN interface.

C

Candidates may focus on the static entries, but the symptom is missing dynamic translations; bad static mappings would not prevent dynamic translations from appearing.

11
MCQhard

A network administrator configured dynamic NAT on a Cisco router to allow internal hosts to access the internet. After the configuration, users report that they can access some websites but not others. The administrator checks the router and discovers that the NAT translation table is full, and new connection attempts are being dropped. What is the most likely cause of this issue?

A.The inside local addresses are not properly defined in the access list.
B.The NAT pool is exhausted; configure PAT to allow multiple hosts to share a single public IP.
C.The outside interface is not configured with the ip nat outside command.
D.The inside interface is not configured with the ip nat inside command.
AnswerB

The pool has only 10 addresses, and once all are used, new translations fail. PAT allows many internal hosts to share a single public IP by using unique port numbers.

Why this answer

When the NAT pool is exhausted, no new translations can be created, so only hosts that already have established translations can continue to communicate, causing intermittent connectivity. A full NAT table means the pool of public IP addresses is completely allocated, preventing new sessions. Implementing PAT allows multiple inside hosts to share a single public IP by multiplexing port numbers, resolving the pool exhaustion.

Exam trap

Cisco often tests the distinction between dynamic NAT (one-to-one pool) and PAT (many-to-one), leading candidates to overlook pool exhaustion when symptoms show partial connectivity rather than total failure.

Why the other options are wrong

A

The access list is used to define which inside local addresses are eligible for NAT. If the access list were misconfigured, the router would not create translations for those hosts. However, the scenario states that translations are present, indicating that the access list is correctly matching the internal hosts.

C

If the outside interface were missing the 'ip nat outside' command, the router would not perform NAT on outbound traffic at all, resulting in no translations being created. Since translations are present, this command is correctly configured.

D

Similar to option C, if the inside interface were missing the 'ip nat inside' command, no translations would be created. The presence of translations indicates that the inside interface is correctly configured.

12
MCQmedium

An engineer configures NAT overload on a router for inside users. Which resource is primarily used to let many internal hosts share one public IPv4 address?

A.IPv6 extension headers
B.TCP and UDP port numbers
C.Different source MAC addresses on the WAN
D.Separate routing tables per client
AnswerB

Correct choice.

Why this answer

PAT distinguishes sessions by using Layer 4 port numbers. That is what allows many inside devices to use the same outside IP address at the same time without conflicting with each other.

Exam trap

Don't confuse static or dynamic NAT with PAT; only PAT allows multiple hosts to share a single IP using port numbers.

Why the other options are wrong

A

IPv6 extension headers are used for additional functionality in IPv6 packets, such as fragmentation or security, and are not involved in NAT overload (PAT) which operates at Layer 4 using port numbers.

C

Source MAC addresses are used for Layer 2 forwarding within a local network and are not preserved across a router's WAN interface; NAT operates at Layer 3 and above, not using MAC addresses for translation.

D

Routers do not maintain separate routing tables per client; routing tables are based on destination networks, not individual hosts. NAT overload uses a single routing table and relies on port numbers for translation.

13
MCQmedium

A router is configured for PAT overload. What does the inside global address represent for an internal PC?

A.The private IP address assigned to the internal PC
B.The public address that represents the internal PC to external networks
C.The remote server address as seen from the inside host
D.The MAC address of the outside interface
AnswerB

That is the inside global address.

Why this answer

With NAT overload, the inside local address is the private address on the internal host. The inside global is the translated public address that represents that inside host to the outside network.

Exam trap

A frequent exam trap is mistaking the inside global address for the inside local address. Candidates often confuse the private IP assigned to the internal PC (inside local) with the public IP address used externally (inside global). Another pitfall is mixing up inside global with outside local or outside global addresses, which relate to remote hosts rather than internal devices.

This confusion can lead to incorrect NAT configuration interpretations or troubleshooting errors. Remember, the inside global address is the public IP visible to external networks representing the internal PC, not the private IP assigned inside the LAN.

Why the other options are wrong

A

Option A incorrectly identifies the inside global address as the private IP address assigned to the internal PC. This is actually the inside local address, which is the private IP used within the internal network and not visible externally.

C

Option C confuses the inside global address with outside local or outside global addresses, which refer to remote servers or external hosts from the internal perspective. The inside global address specifically represents the internal PC externally.

D

Option D incorrectly associates the inside global address with the MAC address of the outside interface. NAT translation deals with IP addresses and ports, not MAC addresses, so this option is invalid.

14
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PAT (NAT overload) on a Cisco IOS-XE router so that internal hosts can share a single public IP when accessing the internet. Note: The NAT overload command is applied globally, not on the interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter global configuration mode. Then configure the inside and outside interfaces with 'ip nat inside' and 'ip nat outside'. Next, create an ACL to identify internal traffic that should be translated.

Finally, apply the NAT overload configuration globally using 'ip nat inside source list <ACL> interface <outside-interface> overload'. The correct order is global config, interfaces, ACL, then global NAT command.

Exam trap

A common mistake is placing the ACL creation before configuring the interfaces or thinking that the NAT overload command is applied directly on the outside interface instead of globally.

15
MCQhard

A network technician has configured static NAT with the command ip nat inside source static 192.168.1.10 203.0.113.10. The web server at 192.168.1.10 is accessible from the internet on TCP port 80 but not on TCP port 443. The ACL applied to the outside interface permits all IP traffic. What is the most appropriate next step to troubleshoot this issue?

A.Check if the web server is running HTTPS service on port 443.
B.Verify that the ACL applied to the outside interface explicitly permits TCP port 443.
C.Examine the NAT translation table for any conflicting dynamic entries.
D.Confirm the inside global IP address mapped to the server is correct.
AnswerA

This step targets the application layer, where the symptom most likely resides. The ACL permits all IP traffic and the static NAT is successfully translating port 80, ruling out misconfigurations there.

Why this answer

Since the ACL already permits all IP traffic and the static NAT translation works for port 80, the problem is not at Layer 3/4 filtering or NAT. The most likely cause is an application-layer issue: the web server is not listening on port 443. Checking the server's HTTPS service directly addresses that.

Exam trap

Verifying the ACL — many candidates miss that an ACL 'permit ip any any' already allows all ports, so adding a port 443 rule is unnecessary and distracts from the real problem.

Why the other options are wrong

B

The already-configured ACL permits all IP traffic, so explicitly allowing port 443 would not resolve a server not listening on that port. This step wastes time on a verified configuration.

C

Static NAT does not use dynamic overload entries. There are no conflicting entries because NAT overload is not configured, making this check irrelevant.

D

The fact that port 80 works shows the inside global IP is correct. Re-verifying it would not explain the port-specific failure, as the issue is not with the translation.

16
PBQhard

You are connected to R1. The internal network 192.168.1.0/24 must be able to access the Internet via PAT (NAT overload) using the outside interface G0/1 with IP 203.0.113.1. Additionally, a web server at 192.168.1.100 must be reachable from the Internet via static NAT to the same outside interface. The current configuration has errors. Correct the NAT configuration so that inside hosts can browse the web and the server is reachable from outside.

Hints

  • Check which interfaces are marked as inside and outside — both were inside.
  • The dynamic NAT rule is missing a keyword to enable port address translation.
  • Verify the ACL used in the NAT rule matches the correct inside subnet.
A.Change interface G0/1 to 'ip nat outside', add 'overload' to the dynamic NAT rule, and correct ACL 100 to permit 192.168.1.0 0.0.0.255
B.Change interface G0/1 to 'ip nat outside', add 'overload' to the dynamic NAT rule, and change ACL 100 to permit 192.168.2.0 0.0.0.255
C.Change interface G0/1 to 'ip nat outside', remove the 'overload' keyword from the dynamic NAT rule, and correct ACL 100 to permit 192.168.1.0 0.0.0.255
D.Change interface G0/1 to 'ip nat inside', add 'overload' to the dynamic NAT rule, and correct ACL 100 to permit 192.168.1.0 0.0.0.255
AnswerA
solution
! R1
interface GigabitEthernet0/1
no ip nat inside
ip nat outside
exit
ip nat inside source list 100 interface GigabitEthernet0/1 overload
no access-list 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

Why this answer

The configuration had three issues: (1) Interface G0/1 was incorrectly configured as 'ip nat inside' instead of 'ip nat outside' — this prevents translation as both interfaces are inside. (2) The NAT overload keyword was missing on the dynamic PAT rule — without 'overload', only one-to-one translation occurs. (3) ACL 100 was matching 192.168.2.0/24 instead of the actual inside subnet 192.168.1.0/24, so traffic from the correct subnet was not translated. Correcting these allows inside hosts to PAT to the outside IP and the static NAT to function properly.

Exam trap

Watch for three common mistakes in NAT configuration: (1) misplacing the 'inside' and 'outside' interface designations, (2) forgetting the 'overload' keyword for PAT, and (3) using an incorrect ACL that does not match the actual inside network. Always verify the ACL matches the source subnet of traffic needing translation.

Why the other options are wrong

B

The ACL must match the source subnet of the inside hosts that need translation; using 192.168.2.0/24 does not match 192.168.1.0/24.

C

The 'overload' keyword is essential for PAT; omitting it means only one inside host can use the outside IP at a time.

D

NAT requires one interface to be 'inside' and the other 'outside'; having both as 'inside' prevents translation of outbound traffic.

17
PBQhard

You are connected to R1. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 LAN can access the Internet via the outside interface GigabitEthernet 0/1 with IP 203.0.113.2/29. The current configuration has an incorrect inside/outside interface assignment and a missing overload keyword. Fix all issues.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.2/29HostsLANR1ISPInternet

Hints

  • Check which interfaces are marked 'inside' and 'outside'.
  • The PAT command must include the 'overload' keyword.
  • The ACL must match the correct source subnet (192.168.1.0/24).
A.Configure 'ip nat inside' on GigabitEthernet0/0, 'ip nat outside' on GigabitEthernet0/1, correct ACL 10 to permit 192.168.1.0 0.0.0.255, and add 'overload' to the PAT command.
B.Configure 'ip nat outside' on GigabitEthernet0/0, 'ip nat inside' on GigabitEthernet0/1, keep ACL 10 as is, and add 'overload' to the PAT command.
C.Configure 'ip nat inside' on GigabitEthernet0/1, 'ip nat outside' on GigabitEthernet0/0, correct ACL 10 to permit 192.168.1.0 0.0.0.255, and add 'overload' to the PAT command.
D.Configure 'ip nat inside' on GigabitEthernet0/0, 'ip nat outside' on GigabitEthernet0/1, correct ACL 10 to permit 192.168.1.0 0.0.0.255, but do not add 'overload' to the PAT command.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip nat inside
interface GigabitEthernet0/1
ip nat outside
ip nat inside source list 10 interface GigabitEthernet0/1 overload
access-list 10 permit 192.168.1.0 0.0.0.255

Why this answer

Three issues exist: (1) The inside and outside interfaces are swapped — GigabitEthernet0/0 (LAN) should be 'ip nat inside' and GigabitEthernet0/1 (WAN) should be 'ip nat outside'. (2) The PAT command lacks the 'overload' keyword. (3) ACL 10 permits 10.0.0.0/8 but the inside subnet is 192.168.1.0/24; ACL must be corrected. Fix with 'interface GigabitEthernet0/0', 'ip nat inside', 'interface GigabitEthernet0/1', 'ip nat outside', 'ip nat inside source list 10 interface GigabitEthernet0/1 overload', and 'access-list 10 permit 192.168.1.0 0.0.0.255'.

Exam trap

A common trap is confusing which interface should be inside and which should be outside. Remember: inside is the private LAN side, outside is the public WAN side. Also, do not forget the 'overload' keyword for PAT, and ensure the ACL matches the correct source subnet.

Why the other options are wrong

B

The specific factual error: The inside/outside interface assignment is reversed; ACL 10 permits 10.0.0.0/8 instead of 192.168.1.0/24.

C

The specific factual error: The inside/outside interface assignment is reversed; the WAN interface should be outside, not inside.

D

The specific factual error: The 'overload' keyword is missing, which is required for PAT to enable many-to-one translation.

18
Drag & Dropmedium

Drag and drop the configuration steps into the correct order to configure Port Address Translation (PAT) on a Cisco router.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is: first define the addresses to translate with an access list; next mark the inside interface with 'ip nat inside'; then mark the outside interface with 'ip nat outside'; finally, enable PAT globally with the 'ip nat inside source list ... overload' command. The overload command is not applied to an interface—it references the outside interface to translate source addresses to that interface’s IP.

Exam trap

The exam trap is that candidates often confuse the order of steps, thinking that applying the overload command or marking interfaces comes before defining the ACL. Remember: ACL first, then inside interface, then outside interface, then overload command.

19
PBQhard

You are troubleshooting PAT and static NAT on R1. The inside network 192.168.10.0/24 must be translated to the public IP 203.0.113.1 (interface G0/1) using port address translation. Additionally, the server at 192.168.10.100 must be reachable from the outside via static NAT to 203.0.113.5. The current configuration is not working. Identify and correct the errors in the running config on R1.

Hints

  • Check which subnet the ACL is matching — it might not be your inside network.
  • Look at the PAT command: is there an 'overload' keyword? Without it, only one translation is allowed.
  • Verify the static NAT mapping: the inside server IP should match the actual server.
A.The ACL in the NAT configuration incorrectly permits network 192.168.20.0/24 instead of 192.168.10.0/24, and the PAT command is missing the 'overload' keyword.
B.The static NAT entry uses the wrong inside address; it should be 192.168.10.100 but is configured with 192.168.10.1.
C.The PAT command is missing the 'overload' keyword, and the static NAT entry maps to the wrong public IP; it should use 203.0.113.1 instead of 203.0.113.5.
D.The static NAT entry maps the server to the wrong public IP, 203.0.113.1 instead of 203.0.113.5, and the ACL incorrectly permits network 192.168.20.0/24.
AnswerA
solution
! R1
configure terminal
no access-list 100
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet0/1 overload
end
write memory

Why this answer

The running configuration has two errors. First, access-list 100 incorrectly permits the 192.168.20.0/24 network instead of the inside network 192.168.10.0/24, so PAT will not translate any internal hosts. Second, the PAT command is missing the 'overload' keyword, which means only a single translation is possible, breaking connectivity for multiple devices.

The static NAT entry for the server is correctly mapping 192.168.10.100 to 203.0.113.5 and does not need correction.

Exam trap

Watch out for ACLs that match the wrong subnet in NAT configurations. Also, remember that PAT requires the 'overload' keyword; without it, only one translation is allowed. Static NAT often uses a different public IP than the PAT pool to avoid conflicts.

Why the other options are wrong

B

The static NAT entry is correct; the inside address 192.168.10.100 is properly mapped to 203.0.113.5.

C

Static NAT requires a separate public IP to avoid overlapping with PAT translations. The public IP 203.0.113.5 is appropriate.

D

The static NAT entry is correctly configured with 192.168.10.100 and 203.0.113.5; the error is solely in the ACL and missing overload keyword.

20
Multi-Selectmedium

Which TWO statements accurately describe Network Address Translation (NAT) types?

Select 2 answers
A.Static NAT creates a fixed one-to-one mapping between a local and global address and is typically used to allow external connectivity to internal servers.
B.Dynamic NAT assigns a public IP from a pool for the duration of a translation, but it does not modify Layer 4 port numbers.
C.PAT only translates TCP packets because it uses port numbers, leaving UDP translation unsupported.
D.Static NAT entries are automatically removed after periods of inactivity to free up public addresses.
E.With PAT, if the public IP address pool is exhausted, new translations fail because PAT requires unique public IPs for each private host.
AnswersA, B

Static NAT permanently maps a private IP to a public IP, enabling inbound access to internal resources like web servers.

Why this answer

Static NAT creates a permanent, one-to-one mapping between an inside local (private) IP address and an inside global (public) IP address. This fixed mapping is typically used to make internal servers, such as a web or email server, reachable from the internet using a consistent public address.

Exam trap

Cisco often tests the misconception that PAT only works with TCP, but in reality PAT supports both TCP and UDP, and the trap here is that candidates confuse PAT's use of port numbers with a protocol limitation.

Why the other options are wrong

C

PAT works with any transport protocol that has port fields—TCP, UDP, and even ICMP through the identifier field.

D

Only dynamic translations (from dynamic NAT or PAT) have idle timeouts; static mappings are permanent.

E

This statement describes dynamic NAT pool exhaustion, not PAT, which uses port multiplexing.

21
PBQhard

You are connected to R1. Configure static NAT for a public web server (198.51.100.10 to 192.168.1.10) and PAT for the 192.168.1.0/24 LAN to use interface GigabitEthernet0/1 with overload. The current configuration has misconfigured NAT that prevents both types from working. Identify and fix the issues so that internal hosts can access the internet and external hosts can reach the internal web server.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.1/30Internal hostsLANR1InternetISP

Hints

  • Check the NAT direction on each interface: which one faces the internal LAN and which faces the internet?
  • Look at the ACL in the PAT command — does it match the correct subnet?
  • The PAT command is missing a keyword that enables port multiplexing.
A.Change interface GigabitEthernet0/1 to 'ip nat outside', add 'overload' to the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255.
B.Change interface GigabitEthernet0/1 to 'ip nat outside', add 'overload' to the PAT command, and change ACL 1 to permit 192.168.2.0 0.0.0.255.
C.Change interface GigabitEthernet0/1 to 'ip nat inside', add 'overload' to the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255.
D.Change interface GigabitEthernet0/1 to 'ip nat outside', remove the 'overload' keyword from the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255.
AnswerA
solution
! R1
configure terminal
interface GigabitEthernet0/1
no ip nat inside
ip nat outside
exit
no ip nat inside source list 1 interface GigabitEthernet0/1
ip nat inside source list 1 interface GigabitEthernet0/1 overload
no access-list 1
access-list 1 permit 192.168.1.0 0.0.0.255
end

Why this answer

Three issues exist: (1) GigabitEthernet0/1 is the outside interface but is configured as 'ip nat inside' — it should be 'ip nat outside'. (2) The PAT command lacks the 'overload' keyword, so it does one-to-one translation instead of port address translation. (3) ACL 1 permits 192.168.2.0/24, but the inside LAN is 192.168.1.0/24 — the ACL must match the correct subnet. Correcting these allows PAT for the LAN and static NAT for the web server.

Exam trap

Watch out for three common traps: (1) Misidentifying inside vs. outside interfaces—the interface facing the public network is always outside. (2) Forgetting the 'overload' keyword for PAT—without it, you get dynamic NAT, not PAT. (3) Using the wrong ACL—the ACL must match the inside network exactly.

Why the other options are wrong

B

The ACL must match the inside network; permitting a different subnet will not translate traffic from the correct LAN.

C

The NAT inside/outside designation is based on the direction of traffic; the interface facing the public network must be outside.

D

Without 'overload', the router will not use port numbers to multiplex multiple inside hosts to a single public IP.

22
PBQhard

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to an ISP router at 10.0.0.2/30. The internal network has a web server at 192.168.1.10 and a mail server at 192.168.1.20. You need to configure NAT so that internal hosts can access the internet (PAT overload) and external users can reach the web server via public IP 203.0.113.10 and the mail server via public IP 203.0.113.11. The inside interface is GigabitEthernet0/1 (192.168.1.1/24) and the outside interface is GigabitEthernet0/0.

Network Topology
G0/1192.168.1.1/24G0/010.0.0.1/3010.0.0.2/30PCsinternal networkR1ISPR2

Hints

  • Define an ACL to match internal traffic.
  • Apply NAT inside/outside on the correct interfaces.
  • Use 'overload' for PAT.
A.ip access-list standard PERMIT_INTERNAL permit 192.168.1.0 0.0.0.255 interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside ip nat inside source list PERMIT_INTERNAL interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80 extendable ip nat inside source static tcp 192.168.1.20 25 203.0.113.11 25 extendable
B.ip access-list standard PERMIT_INTERNAL permit 192.168.1.0 0.0.0.255 interface GigabitEthernet0/1 ip nat outside interface GigabitEthernet0/0 ip nat inside ip nat inside source list PERMIT_INTERNAL interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80 ip nat inside source static tcp 192.168.1.20 25 203.0.113.11 25
C.ip access-list standard PERMIT_INTERNAL permit 192.168.1.0 0.0.0.255 interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside ip nat inside source list PERMIT_INTERNAL interface GigabitEthernet0/0 overload ip nat inside source static 192.168.1.10 203.0.113.10 ip nat inside source static 192.168.1.20 203.0.113.11
D.ip access-list standard PERMIT_INTERNAL permit 192.168.1.0 0.0.0.255 interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside ip nat inside source list PERMIT_INTERNAL interface GigabitEthernet0/0 overload ip nat outside source static tcp 203.0.113.10 80 192.168.1.10 80 ip nat outside source static tcp 203.0.113.11 25 192.168.1.20 25
AnswerA
solution
! R1
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80
ip nat inside source static tcp 192.168.1.20 25 203.0.113.11 25
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
interface GigabitEthernet0/1
ip nat inside
interface GigabitEthernet0/0
ip nat outside

Why this answer

The named standard ACL PERMIT_INTERNAL permits all internal hosts in 192.168.1.0/24. The 'ip nat inside source list PERMIT_INTERNAL interface GigabitEthernet0/0 overload' command enables PAT, translating internal addresses to the outside interface's IP. Static NAT entries map web and mail servers to public IPs with the 'extendable' keyword to allow both PAT and static NAT.

Proper interface NAT direction (inside/outside) is crucial.

Exam trap

Watch out for interface NAT direction: the inside interface is the one facing your internal network, and the outside interface faces the ISP. Also, remember that static NAT for servers must specify protocol and port to avoid mapping the entire IP. The 'extendable' keyword is often needed when combining PAT and static NAT.

Why the other options are wrong

B

The NAT interface directions are reversed; the internal-facing interface must be 'ip nat inside' and the external-facing interface must be 'ip nat outside'.

C

Static NAT for services must include the protocol (tcp/udp) and port number to map specific services; otherwise, it maps the entire IP address, which is not desired here.

D

The 'ip nat outside source static' command is used for translating the source address of inbound packets (e.g., for load balancing), not for mapping a public IP to an internal server. For inbound access to servers, 'ip nat inside source static' is required.

23
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PAT (overload) on a Cisco router using a single public IP address on the outside interface.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is: first enter global configuration mode, then define the access list that matches inside traffic. Next, mark the inside and outside interfaces with `ip nat inside` and `ip nat outside` respectively. Finally, enable PAT with overload using `ip nat inside source list <acl> interface <outside-if> overload`.

This order ensures the router knows which interfaces are internal and external, which traffic to translate, and how to perform the translation.

Exam trap

Learners often forget to assign the 'ip nat inside' and 'ip nat outside' interface commands, or they configure them in the wrong order relative to the source NAT statement.

24
PBQmedium

You are connected to R1 via console. R1 has two interfaces: GigabitEthernet0/0 (10.0.0.1/30, connected to ISP) and GigabitEthernet0/1 (192.168.1.1/24, connected to internal LAN). The LAN hosts (192.168.1.0/24) need to access the internet. Configure dynamic NAT with PAT (overload) on R1 using a NAT pool so that internal hosts share the public IP 10.0.0.1 when accessing the internet. Assume the ISP router is already configured and reachable.

Network Topology
G0/1192.168.1.1/24G0/010.0.0.1/30PCsLANR1ISPInternet

Hints

  • Define an ACL to match internal traffic.
  • Create a NAT pool with the public IP address.
  • Apply overload to allow multiple hosts to share the public IP.
A.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat pool PUBLIC 10.0.0.1 10.0.0.1 netmask 255.255.255.252 ip nat inside source list 1 pool PUBLIC overload interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
B.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat pool PUBLIC 10.0.0.1 10.0.0.2 netmask 255.255.255.252 ip nat inside source list 1 pool PUBLIC interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
C.access-list 1 permit any ip nat pool PUBLIC 10.0.0.1 10.0.0.1 netmask 255.255.255.252 ip nat inside source list 1 pool PUBLIC overload interface GigabitEthernet0/0 ip nat inside interface GigabitEthernet0/1 ip nat outside
D.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/0 overload interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
AnswerA
solution
! R1
ip access-list standard NAT_ACL permit 192.168.1.0 0.0.0.255
ip nat pool PUBLIC_POOL 10.0.0.1 10.0.0.1 netmask 255.255.255.252
ip nat inside source list NAT_ACL pool PUBLIC_POOL overload
interface GigabitEthernet0/1
ip nat inside
interface GigabitEthernet0/0
ip nat outside

Why this answer

Option A is correct because it creates an ACL matching only the internal subnet (192.168.1.0/24), defines a NAT pool containing only the single public IP 10.0.0.1, enables PAT with the 'overload' keyword, and correctly assigns inside/outside interfaces. Option B is wrong because the pool includes 10.0.0.2, which is the ISP's IP and would cause conflicts, plus it lacks the 'overload' keyword so PAT is not activated. Option C is wrong because the ACL uses 'any', potentially matching unintended traffic, and the interface roles are reversed (G0/0 as inside, G0/1 as outside), breaking the NAT translation direction.

Option D is incorrect because while it implements PAT correctly, it uses interface overload rather than a NAT pool, which does not meet the explicit requirement to use a pool.

Exam trap

Pay close attention to the exact requirements: the question specifies a pool with IP 10.0.0.1, not interface overload. Also ensure ACL matches only the internal subnet, and interfaces are correctly designated as inside/outside.

Why the other options are wrong

B

The pool range includes 10.0.0.2 (the ISP's IP) and lacks the overload keyword, so PAT is disabled.

C

The ACL permits all traffic (any) and the inside/outside interfaces are reversed.

D

This uses interface overload instead of a NAT pool, contradicting the pool requirement.

25
Multi-Selectmedium

Which TWO statements correctly describe the behavior of PAT (Port Address Translation) as configured on a Cisco router?

Select 2 answers
A.PAT translates multiple internal addresses to a single public IP address by using unique source port numbers.
B.PAT requires a 1:1 mapping of internal to external IP addresses.
C.PAT can only be configured with a pool of public IP addresses.
D.PAT uses both IP addresses and port numbers to track translations.
E.PAT translations are always static and never time out.
AnswersA, D

PAT distinguishes between multiple internal hosts sharing the same public IP by assigning a different source port for each session. The router maintains a translation table that tracks the original internal IP and port along with the assigned public IP and port.

Why this answer

PAT (Port Address Translation) translates multiple internal private IP addresses to a single public IP address by assigning unique source port numbers to each session, allowing many internal hosts to share one public IP. This is correctly described in option A. Option D is also correct because PAT uniquely identifies each translation by both the IP address and the port number, enabling the router to demultiplex return traffic.

Option B is wrong because PAT uses many-to-one mapping, not 1:1; a 1:1 mapping is characteristic of static NAT. Option C is incorrect because PAT can operate with a single public IP address (often the outside interface address) rather than requiring a pool. Option E is false because PAT translations are dynamically created and time out after a period of inactivity; they are not static.

Exam trap

Cisco often tests the misconception that PAT requires a pool of public IPs or a 1:1 mapping, when in fact PAT is designed for many-to-one translation using port numbers, and can operate with a single public IP address.

Why the other options are wrong

B

PAT does not require a 1:1 mapping; it allows many internal addresses to share a single public IP. A 1:1 mapping is characteristic of static NAT, not PAT.

C

PAT can be configured with either a single public IP address (using the interface address) or a pool of public IP addresses. It does not require a pool; a single address is sufficient for PAT overload.

E

PAT translations are dynamic and have a timeout (default 86400 seconds for general translations, but shorter for TCP/UDP). They are removed after the session ends or the timeout expires.

26
PBQhard

You are connected to R1. The inside network 192.168.1.0/24 must be translated to the outside interface IP (198.51.100.1) using PAT (NAT overload). Additionally, a static NAT entry must map host 192.168.1.10 to 203.0.113.10. The current configuration is incomplete and contains errors. Correct the configuration so that both translations work properly.

Network Topology
G0/0 inside192.168.1.1/24G0/1 outside198.51.100.1/24R1

Hints

  • Check the direction of NAT on each interface (inside vs outside).
  • The PAT command requires the keyword 'overload' to enable port address translation.
  • The access list must match the inside local network, not a different subnet.
A.interface GigabitEthernet0/1 ip nat outside ! access-list 1 permit 192.168.1.0 0.0.0.255 ! ip nat inside source list 1 interface GigabitEthernet0/1 overload ip nat inside source static 192.168.1.10 203.0.113.10
B.interface GigabitEthernet0/1 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 ! ip nat inside source list 1 interface GigabitEthernet0/1 overload ip nat inside source static 192.168.1.10 203.0.113.10
C.interface GigabitEthernet0/1 ip nat outside ! access-list 1 permit 10.0.0.0 0.255.255.255 ! ip nat inside source list 1 interface GigabitEthernet0/1 ip nat inside source static 192.168.1.10 203.0.113.10
D.interface GigabitEthernet0/1 ip nat outside ! access-list 1 permit 192.168.1.0 0.0.0.255 ! ip nat inside source list 1 interface GigabitEthernet0/1 overload ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80
AnswerA
solution
! R1
interface GigabitEthernet0/1
ip nat outside
exit
ip nat inside source list 1 interface GigabitEthernet0/1 overload
access-list 1 permit 192.168.1.0 0.0.0.255

Why this answer

The configuration has three issues: 1) GigabitEthernet0/1 is incorrectly set as 'ip nat inside' instead of 'ip nat outside'. 2) The PAT command is missing the 'overload' keyword. 3) Access-list 1 permits 10.0.0.0/8, not the inside subnet 192.168.1.0/24. The commands fix these: change the interface to 'ip nat outside', add 'overload' to the PAT command, and update the ACL to permit the correct inside network.

Exam trap

Watch out for three common mistakes: 1) Forgetting to set the outside interface as 'ip nat outside'. 2) Using an ACL that does not match the inside network. 3) Omitting the 'overload' keyword for PAT. Also, do not add protocol/port to static NAT unless specifically required.

Why the other options are wrong

B

The specific factual error is that the interface facing the outside (public) network is incorrectly configured as 'ip nat inside'.

C

The specific factual errors are: 1) The ACL does not match the correct inside network. 2) The 'overload' keyword is omitted, preventing PAT from working.

D

The specific factual error is that the static NAT command includes protocol and port, limiting the translation to TCP port 80 only.

27
MCQhard

Inside hosts can reach the internet only one at a time. What is the most likely NAT issue?

A.The NAT statement is missing the overload keyword
B.The access list should deny the inside subnet
C.The inside and outside interface roles are reversed in the exhibit
D.NAT cannot be used with RFC1918 addresses
AnswerA

PAT requires overload when multiple hosts share one public address.

Why this answer

Without overload, dynamic NAT uses one public address per internal session mapping. PAT with overload is what lets many inside hosts share a single outside interface address at the same time.

Exam trap

A frequent exam trap is assuming that reversing the inside and outside interface roles causes the symptom of only one host accessing the internet at a time. While interface roles are critical for NAT operation, reversing them typically prevents translation altogether rather than limiting it to a single host. Another trap is thinking that the ACL should deny the inside subnet to fix the issue, but denying the inside subnet in the ACL stops all translations, causing no internet access.

The real cause is missing the overload keyword, which is essential for PAT to allow multiple hosts to share one public IP simultaneously.

Why the other options are wrong

B

Denying the inside subnet in the ACL would prevent any NAT translation from occurring, which would block all inside hosts from reaching the internet, not just limit access to one at a time.

C

Reversing inside and outside interface roles typically stops NAT from functioning entirely rather than allowing only one host at a time. The symptom points more directly to missing overload.

D

NAT is specifically designed to translate RFC1918 private IP addresses to public IP addresses. Saying NAT cannot be used with RFC1918 addresses is incorrect and contradicts common practice.

28
PBQhard

You are connected to R1. The network has two routers: R1 (192.168.1.0/24 LAN) and R2 (Internet gateway). R1's inside LAN (192.168.1.0/24) must be translated to the public IP 203.0.113.1 using PAT (NAT overload) for Internet access. Additionally, the server at 192.168.1.100 must be reachable from the Internet via static NAT to 203.0.113.5. The current configuration is broken. Identify and fix the issues so that both PAT and static NAT work correctly.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.2/29S0/0/010.0.0.1/30inside hostsLANR1InternetWANR2

Hints

  • Check which interfaces are marked as inside and outside — the public IP interface should be outside.
  • The ACL used for PAT must match the inside local network, not a different subnet.
  • The PAT command must include the keyword 'overload' to enable port address translation.
A.Change ACL 10 to permit 192.168.1.0 0.0.0.255, change G0/1 to 'ip nat outside', and ensure the PAT command includes 'overload'.
B.Change ACL 10 to permit 192.168.1.0 0.0.0.255, change G0/1 to 'ip nat inside', and ensure the PAT command includes 'overload'.
C.Change ACL 10 to permit 192.168.1.0 0.0.0.255, change G0/1 to 'ip nat outside', and remove the 'overload' keyword from the PAT command.
D.Change ACL 10 to permit 192.168.1.0 0.0.0.255, change G0/1 to 'ip nat inside', and remove the 'overload' keyword from the PAT command.
AnswerA
solution
! R1
configure terminal
no ip nat inside source list 10 interface GigabitEthernet0/1
ip nat inside source list 10 interface GigabitEthernet0/1 overload
no access-list 10
access-list 10 permit 192.168.1.0 0.0.0.255
interface GigabitEthernet0/1
no ip nat inside
ip nat outside
end

Why this answer

The configuration had three issues: 1) ACL 10 permitted 10.0.0.0/8 instead of the actual inside subnet 192.168.1.0/24, so no traffic matched PAT. 2) The PAT command was missing the 'overload' keyword, which is required for Port Address Translation; without it, the device attempts one-to-one dynamic NAT. 3) The interface facing the public network (G0/1) was incorrectly configured as 'ip nat inside' instead of 'ip nat outside'. The fix is to correct the ACL to permit 192.168.1.0 0.0.0.255, ensure the PAT command includes 'overload', and change G0/1 to 'ip nat outside'.

Exam trap

A common trap is confusing inside and outside interface designations. Remember: the interface facing the private network is 'ip nat inside', and the interface facing the public network is 'ip nat outside'. Also, PAT requires the 'overload' keyword; without it, you get dynamic NAT (one-to-one).

Why the other options are wrong

B

The specific factual error is that the interface with the public IP (203.0.113.1) must be configured as 'ip nat outside', not 'ip nat inside'. Marking it as inside would cause asymmetric NAT behavior and break translation.

C

The specific factual error is that PAT requires the 'overload' keyword. Without it, the router performs dynamic NAT (one-to-one translation), which would not support multiple hosts sharing a single public IP.

D

The specific factual errors are: (1) the interface with the public IP must be 'ip nat outside', and (2) PAT requires the 'overload' keyword. Both are violated here.

29
Multi-Selectmedium

Which three of the following statements about Network Address Translation (NAT) are correct? (Choose three.)

Select 3 answers
.Static NAT provides a one-to-one mapping between a private IP and a public IP.
.Dynamic NAT uses a pool of public IP addresses assigned on a first-come, first-served basis.
.PAT (Port Address Translation) allows multiple internal hosts to share a single public IP address.
.NAT eliminates the need for any routing in a network.
.Dynamic NAT always assigns the same public IP to a given internal host.
.PAT requires a unique public IP for every concurrent session.

Why this answer

Static NAT provides a one-to-one mapping between a private IP and a public IP, ensuring that a specific internal host always uses the same public address. Dynamic NAT uses a pool of public IP addresses assigned on a first-come, first-served basis, so internal hosts compete for available addresses. PAT (Port Address Translation) allows multiple internal hosts to share a single public IP by differentiating sessions via unique port numbers, which is the most common form of NAT used in home and small office routers.

Exam trap

Cisco often tests the misconception that dynamic NAT provides a fixed mapping like static NAT, or that PAT requires multiple public IPs, when in fact PAT is designed to share a single public IP among many hosts.

30
PBQmedium

You are connected to R1 via console. R1's GigabitEthernet0/0 (203.0.113.1/30) connects to the internet, and GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The internal LAN hosts need to access the internet using PAT (overload) with the public IP 203.0.113.1 assigned to GigabitEthernet0/0. An internal web server at 192.168.1.100 must be accessible from the internet via static NAT to 203.0.113.5. Your task is to configure NAT/PAT on R1.

Network Topology
G0/010.0.0.1/30G0/010.0.0.1/30G0/1192.168.1.1/24linkG0/1192.168.1.1/24InternetR1Internal LAN

Hints

  • First define which internal addresses should be translated using an access list.
  • Use a NAT pool with a single IP for PAT overload.
  • Apply the nat inside and outside commands on the correct interfaces.
A.ip access-list standard NAT_ACL permit 192.168.1.0 0.0.0.255 ip nat pool PUBLIC 203.0.113.1 203.0.113.1 netmask 255.255.255.252 ip nat inside source list NAT_ACL pool PUBLIC overload ip nat inside source static tcp 192.168.1.100 80 203.0.113.5 80 extendable interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
B.ip access-list standard NAT_ACL permit 192.168.1.0 0.0.0.255 ip nat inside source list NAT_ACL interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.1.100 80 203.0.113.5 80 extendable interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
C.ip access-list standard NAT_ACL permit 192.168.1.0 0.0.0.255 ip nat pool PUBLIC 203.0.113.1 203.0.113.1 netmask 255.255.255.252 ip nat inside source list NAT_ACL pool PUBLIC ip nat inside source static tcp 192.168.1.100 80 203.0.113.5 80 extendable interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside
D.ip access-list standard NAT_ACL permit 192.168.1.0 0.0.0.255 ip nat pool PUBLIC 203.0.113.1 203.0.113.1 netmask 255.255.255.252 ip nat inside source list NAT_ACL pool PUBLIC overload ip nat inside source static tcp 192.168.1.100 80 203.0.113.5 80 extendable interface GigabitEthernet0/0 ip nat inside interface GigabitEthernet0/1 ip nat outside
AnswerA
solution
! R1
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat pool PUBLIC 203.0.113.1 203.0.113.1 netmask 255.255.255.252
ip nat inside source list 1 pool PUBLIC overload
ip nat inside source static tcp 192.168.1.100 80 203.0.113.5 80
interface GigabitEthernet0/0
ip nat outside
interface GigabitEthernet0/1
ip nat inside

Why this answer

The access list selects the internal LAN traffic. The NAT pool uses the single public IP for overload. The static NAT translates the internal web server's HTTP traffic to a second public IP.

The interface commands mark inside and outside for NAT processing.

Exam trap

Pay close attention to the specific public IP address requirement. Using 'ip nat inside source list ... interface ... overload' uses the interface's IP, which may not be the exact IP specified. Also, remember that 'overload' is required for PAT, and inside/outside must be correctly assigned.

Why the other options are wrong

B

The command 'ip nat inside source list ... interface ... overload' uses the interface's IP address for translation, not the pool address 203.0.113.1. The requirement specifies using the public IP 203.0.113.1, which is assigned to the interface but may not be the interface's primary IP if multiple IPs are configured.

C

Without 'overload', the router will attempt to allocate a unique public IP for each internal session, but the pool has only one IP, so only one translation can exist at a time. PAT (overload) is required to allow multiple internal hosts to share the single public IP.

D

The 'ip nat inside' command should be on the LAN interface (GigabitEthernet0/1) and 'ip nat outside' on the internet-facing interface (GigabitEthernet0/0). Reversing them causes NAT to fail because the router does not know which traffic is internal.

31
MCQhard

A branch router is configured for NAT overload. The inside interface Gi0/0 is correctly marked ip nat inside, and the outside interface Gi0/1 is ip nat outside. The NAT statement uses access-list 1 permit 10.1.1.0 0.0.0.255 with ip nat inside source list 1 interface Gi0/1 overload. Inside hosts are in the 192.168.1.0/24 subnet and still reach the ISP with their private addresses. What is the most likely reason?

A.The ACL used for NAT does not match the inside client subnet.
B.GigabitEthernet0/0 should be configured as ip nat inside.
C.PAT cannot use an interface address as the translated source.
D.The router must run OSPF before NAT overload can function.
AnswerA

The overload statement references ACL 1, but ACL 1 permits 10.10.20.0/24 instead of 10.10.10.0/24.

Why this answer

The ACL matches the wrong inside subnet. NAT overload will only translate traffic that matches the source list or route map tied to the NAT statement. The interfaces are marked inside and outside correctly, so the bad match criteria is the most likely failure point.

Exam trap

A frequent exam trap is assuming that NAT overload requires routing protocols such as OSPF to function or that the outside interface cannot be used as the source address for translation. Some candidates also mistakenly believe that misconfigured interface NAT designations cause the problem when the real issue is the ACL mismatch. The trap lies in overlooking the ACL's role in defining which inside addresses are translated.

If the ACL does not include the correct inside subnet, NAT will not translate those packets, causing inside hosts to leak private IPs to the ISP. This subtle misconfiguration is often missed under exam pressure.

Why the other options are wrong

B

This option is incorrect because the ISP-facing interface is correctly configured as ip nat outside. The problem is not with the interface NAT designation but with the ACL mismatch. Changing the inside interface designation would not fix the translation issue.

C

This option is incorrect because NAT overload commonly uses the IP address of the outside interface as the translated source address. This is standard Cisco NAT behavior and not a cause of failure in this scenario.

D

This option is incorrect because NAT does not depend on routing protocols like OSPF to function. NAT translation is independent of routing protocols, so running OSPF is not required for NAT overload to work.

32
MCQhard

A router is configured with a static NAT mapping for an internal server. What is the main operational advantage of this design for outside clients?

A.The server is represented by a fixed public address that outside clients can reach predictably
B.The server automatically shares its public address with all inside users through overload
C.The server no longer needs an IP address on the internal network
D.The mapping removes the need for routing to the server
AnswerA

This is correct because static NAT creates a stable one-to-one mapping.

Why this answer

The main operational advantage is predictability. In plain language, outside clients always know which public IP address represents the internal server. That stable one-to-one mapping makes the server easier to reach consistently from external networks. This is exactly why static NAT is commonly used for inside services that need outside reachability.

This differs from PAT, which is optimized for many outbound user sessions sharing fewer public addresses. Static NAT is valuable when a specific device or service must have a stable external identity.

Exam trap

A frequent exam trap is confusing static NAT with PAT (Port Address Translation). While PAT allows many internal devices to share one public IP by using different port numbers, static NAT assigns a fixed public IP to a single internal device. Selecting an answer that suggests the server shares its public address with all inside users (like option B) is incorrect because static NAT does not perform address overload.

Another trap is assuming static NAT removes the need for routing; however, routing is still required to forward packets to the internal server. Misunderstanding these differences can lead to incorrect answers about NAT behavior and design advantages.

Why the other options are wrong

B

This option is incorrect because it describes PAT behavior, where multiple inside users share a public IP via port overload. Static NAT does not share the public address among users.

C

This option is incorrect because the internal server still requires a valid IP address on the internal network for routing and communication; static NAT does not remove this requirement.

D

This option is incorrect because NAT translates addresses but does not eliminate the need for routing. Proper routing is still necessary to deliver packets to the internal server.

33
PBQhard

You are connected to R1. The inside network 192.168.1.0/24 must be able to reach the internet via PAT (overload) using the public IP 203.0.113.1 on interface GigabitEthernet0/1. Additionally, a web server at 192.168.1.10 must be reachable from the internet via static NAT to 203.0.113.10. The current configuration is not working. Identify and fix all issues.

Hints

  • Check the ACL for the correct inside network.
  • The PAT command is missing a keyword to enable port address translation.
  • Ensure the 'overload' keyword is present in the ip nat inside source list command.
A.Change ACL 100 to permit 192.168.1.0 0.0.0.255, add 'overload' to the ip nat inside source list command, and verify with 'show ip nat translations'.
B.Change ACL 100 to permit 192.168.1.0 0.0.0.255 and add the 'overload' keyword to the ip nat inside source list command.
C.Add the 'overload' keyword to the ip nat inside source list command and verify with 'show ip nat translations'.
D.Change ACL 100 to permit 192.168.1.0 0.0.0.255 and verify with 'show ip nat translations'.
AnswerA
solution
! R1
conf t
no access-list 100
access-list 100 permit 192.168.1.0 0.0.0.255
ip nat inside source list 100 interface GigabitEthernet0/1 overload
end

Why this answer

The configuration has two issues: (1) ACL 100 permits 192.168.2.0/24 instead of 192.168.1.0/24, so the inside traffic is not matched for PAT. (2) The 'ip nat inside source list' command lacks the 'overload' keyword, preventing port address translation. The static NAT entry for the web server is correctly configured and does not depend on the ACL; it will work once the ACL is fixed. To resolve: change ACL 100 to permit 192.168.1.0 0.0.0.255, add 'overload' to the ip nat inside source list command, and verify with 'show ip nat translations'.

Exam trap

Candidates often overlook that the ACL must match the inside network exactly, and that 'overload' is required for PAT. Additionally, they may forget to verify with 'show ip nat translations' to confirm the configuration is working.

Why the other options are wrong

B

The answer fails to include the verification step, which is a critical part of troubleshooting and ensuring the configuration is applied correctly.

C

The ACL must match the correct inside network; without fixing it, PAT will not apply to the intended traffic.

D

The 'overload' keyword is essential for PAT; omitting it means the router will perform dynamic NAT without port translation, which is insufficient for multiple hosts.

34
MCQhard

The SVI for VLAN 20 has `ip nat outside` and the WAN interface has `ip nat inside`. Hosts in VLAN 20 must reach the internet through PAT, but users report no external connectivity. Which configuration issue best explains the problem?

A.The ACL should deny 192.168.20.0/24 instead of permit it
B.The interfaces are marked with inside and outside in the wrong places
C.PAT cannot be used with a /30 WAN link
D.NAT overload requires a route-map instead of an ACL
AnswerB

Reversed NAT roles stop the expected translations.

Why this answer

NAT overload works only when the inside and outside interfaces are identified correctly. Here the roles are reversed, so translations are not built in the right direction.

Exam trap

A frequent exam trap is assuming that the ACL or the subnet mask is the cause of NAT failure when the real issue is reversed inside and outside interface roles. Candidates often overlook the importance of interface designation commands (ip nat inside and ip nat outside), which are crucial for NAT operation. Without correct interface roles, the router cannot translate addresses properly, causing hosts to lose external connectivity even if ACLs and routing are correct.

This trap is tempting because ACLs and subnetting are more familiar concepts, but interface roles are equally critical for NAT to function.

Why the other options are wrong

A

Option A is incorrect because the ACL used for NAT must permit the inside local subnet (192.168.20.0/24) to allow translation. Denying this subnet would block NAT translation, but the question states the ACL permits it, so this is not the cause.

C

Option C is incorrect because a /30 WAN link is commonly used in point-to-point connections and does not prevent PAT from functioning. PAT works independently of the WAN subnet size.

D

Option D is incorrect because NAT overload can be configured using a standard ACL; a route-map is optional and not required. The absence of a route-map does not cause the connectivity issue described.

35
MCQmedium

On a router performing NAT, where should ip nat inside be applied?

A.On the interface facing the internal private network
B.On the interface facing the ISP only
C.On every routed interface on the router
D.Only on loopback interfaces
AnswerA

That is the inside side of the translation boundary.

Why this answer

The inside designation belongs on the interface facing the private internal network. The outside designation belongs on the interface facing the public or external network.

Exam trap

A frequent exam trap is misapplying the ip nat inside command to the interface facing the ISP or external network. This mistake reverses the NAT boundary, causing translation to fail because the router expects private addresses on the inside interface only. Another trap is assuming all interfaces require NAT configuration, leading to unnecessary or incorrect commands on unrelated interfaces.

Additionally, some candidates incorrectly think loopback interfaces should be marked inside or outside, but NAT operates on interfaces connected to actual networks. Recognizing that ip nat inside must be on the internal private network interface prevents these common errors.

Why the other options are wrong

B

Incorrect. The interface facing the ISP is typically marked with ip nat outside, not ip nat inside, because it represents the public or external side of the NAT boundary.

C

Incorrect. Not every routed interface requires NAT configuration. Only interfaces that participate in NAT translation should be marked as inside or outside to define the translation boundaries.

D

Incorrect. NAT is not limited to loopback interfaces, and loopbacks are generally not used for NAT inside or outside designation since NAT operates on interfaces connected to real networks.

36
Matchingmedium

Match each NAT or address-related term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The private address used by the host on the internal network

The address representing the internal host to outside networks

A fixed one-to-one address mapping

A many-to-one translation approach using ports

Why these pairings

Inside local is the private IP address assigned to a host inside the internal network. Inside global is the public IP address that represents that internal host to external networks. Static NAT creates a permanent one-to-one mapping between an inside local and an inside global address.

PAT (Port Address Translation) extends NAT by using port numbers to map multiple inside local addresses to a single inside global address.

Exam trap

The trap is that all options involve IP address translation or special addresses, but only static NAT is a one-to-one manual mapping. Candidates often confuse static NAT with PAT or dynamic NAT, or mistakenly think loopback is a NAT term.

37
MCQmedium

A small office network uses a single public IP address on its router's WAN interface. The network administrator needs to allow all internal hosts to access the internet, but must also ensure that an internal web server with a private IP address is reachable from the internet. Which NAT configuration should the administrator implement to meet both requirements?

A.Configure dynamic NAT with a pool of public IPs and static NAT for the web server.
B.Configure PAT (overload) for internal hosts and static NAT for the web server.
C.Configure only PAT (overload) for all internal hosts including the web server.
D.Configure static NAT for the web server and use only the public IP for internal hosts.
AnswerB

PAT allows multiple internal hosts to share the single public IP for outbound traffic, while static NAT provides a permanent mapping for inbound traffic to the web server.

Why this answer

Option B is correct because PAT (Port Address Translation), also known as NAT overload, allows multiple internal hosts to share a single public IP address by mapping each session to a unique port number, satisfying the requirement for internet access. Static NAT is then used to create a one-to-one mapping from the public IP (on a specific port) to the private IP of the internal web server, making it reachable from the internet. This combination meets both outbound connectivity for all hosts and inbound access to the web server without needing additional public IPs.

Exam trap

Cisco often tests the misconception that PAT alone can handle inbound traffic, but the trap here is that PAT only translates outbound sessions unless a static entry is explicitly configured for the server, leading candidates to incorrectly select option C.

Why the other options are wrong

A

Only one public IP is available, so a pool cannot be created.

C

Inbound access to the web server would not be possible without a static mapping.

D

Internal hosts would not be able to access the internet because they lack public IP assignments.

38
MCQmedium

A show ip nat translations command displays this entry: Inside global 203.0.113.10:30001 Inside local 192.168.10.25:51514 Outside local 198.51.100.20:443 Outside global 198.51.100.20:443 Which statement is correct?

A.192.168.10.25 is the inside local address of the host
B.203.0.113.10 is the inside local address of the host
C.198.51.100.20 is the translated private address of the internal client
D.The entry proves static NAT is being used without port translation
AnswerA

Correct. 192.168.10.25 is the real private address of the inside host.

Why this answer

Inside local is the actual address assigned to the inside host before translation. The inside global address is the public representation used after NAT, and the port values show PAT is in use.

Exam trap

Be careful not to confuse inside local with inside global addresses, and understand the difference between local and global in NAT terminology.

Why the other options are wrong

B

This option is wrong because 203.0.113.10 is the inside global address, not the inside local address. The inside local address is 192.168.10.25, which is correctly identified in option A.

C

This option is incorrect because 198.51.100.20 is the outside local address, not a translated private address. The inside local address is specifically 192.168.10.25, as indicated in the NAT translation entry.

D

This option is incorrect because the entry shows that 203.0.113.10 is the inside global address, not the inside local address. The inside local address is 192.168.10.25, which is correctly identified in option A.

39
MCQhard

A company wants a server on the inside network to be reachable consistently from outside using one known public IP address. Which NAT approach best fits that goal?

A.Static NAT
B.PAT overload only
C.No NAT at all, because private IPv4 addresses are Internet-routable
D.DHCP relay
AnswerA

This is correct because static NAT provides a permanent one-to-one mapping suitable for a reachable internal server.

Why this answer

Static NAT best fits that goal because it creates a fixed, predictable one-to-one mapping between the internal server and a public address. In plain language, outside systems always know which public IP represents that server. This predictability is exactly what is needed when a service must be reachable consistently from the outside.

PAT is better suited for many outbound clients sharing one address, not for presenting one inside server with a permanent public identity. Dynamic NAT from a pool can also vary depending on design. The correct answer is the one that provides the most stable and direct one-to-one mapping.

Exam trap

A frequent exam trap is selecting PAT overload as the solution for making an internal server reachable from outside. PAT is designed for multiple internal clients to share a single public IP for outbound connections, not for providing a fixed public IP to a server. Another common mistake is thinking private IP addresses can be accessed directly from the Internet without NAT, which is incorrect because private IPs are non-routable externally.

Misunderstanding DHCP relay as related to NAT or public reachability is also a trap; DHCP relay only forwards DHCP requests and does not affect NAT mappings or external accessibility.

Why the other options are wrong

B

PAT overload is incorrect because it is designed for many internal clients sharing a single public IP for outbound traffic, not for providing a fixed public IP to a server.

C

No NAT is incorrect since private IPv4 addresses are not routable on the Internet and require NAT to be accessible externally.

D

DHCP relay is unrelated to NAT or public reachability; it only forwards DHCP requests and does not affect how internal servers are accessed from outside.

40
MCQhard

Hosts on the inside network can reach the internet, but return traffic is failing after a new router was installed. The router's configuration shows that the LAN-facing interface has been configured with 'ip nat outside' and the WAN-facing interface with 'ip nat inside'. What configuration mistake is the most likely cause?

A.The NAT inside and outside interface roles are reversed.
B.The ACL must deny RFC1918 traffic before NAT can work.
C.PAT cannot use an interface address for overload.
D.The inside subnet must be configured as /24 on both interfaces.
AnswerA

That is the key problem shown.

Why this answer

NAT overload requires the LAN-facing interface to be marked as ip nat inside and the WAN-facing interface as ip nat outside. The exhibit shows those roles reversed, so translations will not occur correctly. The ACL itself is fine for matching the inside subnet.

Exam trap

A frequent exam trap is reversing the NAT inside and outside interface roles. Candidates may see that hosts can initiate traffic to the internet and mistakenly assume NAT is correctly configured. However, if the router’s interfaces are misassigned, return traffic from the internet will not be translated back to the inside hosts, causing connectivity failures.

This trap exploits the partial functionality of NAT where outbound packets appear to succeed but inbound packets fail, leading to confusion during troubleshooting and exam scenarios.

Why the other options are wrong

B

Incorrect. The ACL in NAT configurations is used to identify which inside addresses to translate, not to filter or deny traffic. Denying RFC1918 traffic in the ACL is unnecessary and unrelated to the NAT failure described.

C

Incorrect. Using the outside interface IP address for PAT overload is a standard and supported practice in Cisco NAT configurations. This option does not explain the return traffic failure.

D

Incorrect. The inside subnet should only be configured on the LAN interface. The WAN interface typically uses a different subnet and should not share the inside subnet.

This misconfiguration would cause routing issues but is not the primary cause of NAT return traffic failure here.

41
MCQhard

A router has this command configured: `ip nat inside source static 192.168.1.50 203.0.113.50`. What is the main effect of this configuration?

A.It creates a permanent one-to-one translation between the inside host and a public address
B.It enables PAT overload for all internal users
C.It blocks inbound access to the inside host permanently
D.It changes the host subnet mask to a public prefix
AnswerA

This is correct because static NAT builds a fixed mapping from one inside local address to one inside global address.

Why this answer

This command creates a static NAT mapping between one inside local address and one inside global address. In plain language, the internal device at 192.168.1.50 will always appear as 203.0.113.50 to the outside world. That fixed relationship is useful when a particular internal host or service must be reachable consistently from outside networks.

This is different from PAT, which shares one public address across many sessions using ports. Static NAT is one-to-one and predictable. It does not dynamically pull from a pool in this syntax. The key idea is permanence: the same inside device is always mapped to the same outside address.

Exam trap

A common exam trap is mistaking static NAT for PAT or dynamic NAT. Candidates may incorrectly assume that the command enables PAT overload, allowing many internal users to share one public IP, but static NAT provides a fixed one-to-one mapping without port translation. Another trap is thinking static NAT blocks inbound traffic; in reality, it enables inbound access to the mapped inside host.

Misunderstanding these differences can lead to selecting incorrect answers about NAT behavior and configuration.

Why the other options are wrong

B

This option is incorrect because PAT overload uses a different command syntax involving 'overload' and allows many internal hosts to share one public IP, which is not the case here.

C

This option is wrong since static NAT does not inherently block inbound access; instead, it enables external hosts to reach the inside host via the mapped public IP.

D

This option is incorrect because NAT translation does not modify the subnet mask of the inside host; it only changes the IP address seen externally.

42
MCQhard

A technician is troubleshooting an issue where internal hosts can successfully ping internet addresses but cannot establish HTTP sessions. The router is configured with PAT (overload) and uses an access list to define the inside local addresses. Recently, the internal network was renumbered from 192.168.0.0/24 to 10.0.0.0/24. What is the most likely cause?

A.The router's HTTP inspection rule is blocking outbound TCP port 80.
B.The NAT access list still permits 192.168.0.0/24 and does not match the new 10.0.0.0/24 addresses.
C.The outside interface access list is blocking TCP packets from the new 10.0.0.0/24 subnet.
D.The default route has been changed to point to the wrong next-hop address, causing only HTTP packets to be dropped.
AnswerB

Because the ACL that defines inside local addresses for PAT was never updated after renumbering, no dynamic translations are created for HTTP sourced from 10.0.0.0/24.

Why this answer

PAT translates private addresses to a single public IP by matching the source against a NAT access list. The ACL permits only 192.168.0.0/24, so packets from the new 10.0.0.0/24 addresses are not translated. ICMP may still succeed due to an existing static NAT entry for ICMP echo or a separate rule, but HTTP requires new dynamic translations that the ACL blocks.

The other options are plausible but do not align as directly with the recent renumbering and the configured NAT ACL.

Exam trap

Option C (outside interface access list blocking TCP port 80) is tempting because many candidates first suspect ACL-based filtering when one protocol fails and another succeeds. However, the explicit mention of the renumbering and the PAT ACL mismatch makes B the more direct cause.

Why the other options are wrong

A

Candidates may confuse security inspection with NAT translation, assuming that a protocol‑specific inspection is needed for HTTP.

C

Tempting because an ACL could selectively block TCP; however, the question provides context about the renumbering, which directly points to the NAT configuration.

D

Candidates may assume that different protocols might take different paths, but a single default route applies uniformly to all IP traffic.

43
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PAT (Port Address Translation) on a Cisco IOS-XE router.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

The correct sequence is: enter global configuration mode, designate inside and outside interfaces, create the NAT pool, and then enable overload on the pool. Interfaces must be designated first so that NAT translation can identify which interfaces are inside/outside. The pool must exist before you apply overload to it; otherwise the overload command will refer to an undefined pool.

The other options incorrectly place the pool creation or overload instruction before interface designation or in an impossible order.

Exam trap

The exam trap is that candidates often confuse the order of NAT configuration steps. Remember: interfaces first (inside/outside), then pool, then overload. Do not create the pool before designating interfaces, and do not enable overload before the pool exists.

44
PBQhard

You are connected to R1 via console. R1 connects two networks: GigabitEthernet0/0 (10.0.0.1/30) to the ISP, and GigabitEthernet0/1 (172.16.1.1/24) to an internal network. The internal hosts (172.16.1.0/24) need to communicate with a server at 10.0.0.2 (ISP side) using a static NAT mapping. Configure static NAT so that internal host 172.16.1.100 is mapped to public IP 10.0.0.3 (which is not assigned to any interface; assume ISP routes 10.0.0.3 to R1). Also configure a static route to reach 10.0.0.3 via the ISP router (next-hop 10.0.0.2).

Network Topology
G0/1172.16.1.1/24172.16.1.100G0/010.0.0.1/30HostLANR1ISPServer (10.0.0.2,

Hints

  • Static NAT uses 'ip nat inside source static' mapping private to public.
  • Designate inside and outside interfaces correctly.
  • A static route is needed for the public IP because it is not directly connected.
A.ip nat inside source static 172.16.1.100 10.0.0.3 interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside ip route 10.0.0.3 255.255.255.255 10.0.0.2
B.ip nat inside source static 10.0.0.3 172.16.1.100 interface GigabitEthernet0/0 ip nat inside interface GigabitEthernet0/1 ip nat outside ip route 10.0.0.3 255.255.255.255 10.0.0.2
C.ip nat inside source static 172.16.1.100 10.0.0.3 interface GigabitEthernet0/0 ip nat inside interface GigabitEthernet0/1 ip nat outside ip route 10.0.0.3 255.255.255.255 10.0.0.2
D.ip nat outside source static 172.16.1.100 10.0.0.3 interface GigabitEthernet0/0 ip nat outside interface GigabitEthernet0/1 ip nat inside ip route 10.0.0.3 255.255.255.255 10.0.0.2
AnswerA
solution
! R1
ip nat inside source static 172.16.1.100 10.0.0.3
interface GigabitEthernet0/1
ip nat inside
interface GigabitEthernet0/0
ip nat outside
ip route 10.0.0.3 255.255.255.255 10.0.0.2

Why this answer

Static NAT provides a one-to-one mapping between a private and public IP. The inside/outside interface designations are critical for NAT to function. The static route ensures that return traffic to 10.0.0.3 is routed via the ISP.

Exam trap

Be careful with the order of addresses in the static NAT command: inside local (private) first, then inside global (public). Also, remember that the inside interface is the one facing your internal network, and the outside interface faces the external network. The static route is needed for the public IP that is not directly connected.

Why the other options are wrong

B

The static NAT command syntax is 'ip nat inside source static [inside-local] [inside-global]'. Here, the inside local (private) should be 172.16.1.100 and inside global (public) should be 10.0.0.3. Also, the inside interface is the one facing the internal network (G0/1) and outside is facing the ISP (G0/0).

C

NAT requires that the interface facing the internal network be marked as 'ip nat inside' and the interface facing the external network be marked as 'ip nat outside'. Here, G0/0 connects to the ISP (outside) and G0/1 connects to the internal network (inside).

D

The command 'ip nat outside source static' translates the source address of packets arriving on the outside interface. For translating internal host addresses to a public IP, 'ip nat inside source static' must be used.

45
MCQhard

Refer to the exhibit. An administrator has configured PAT for internal hosts to access the internet, but users report that they cannot reach external websites. The administrator suspects a NAT issue and runs the show ip nat statistics command. What is the most likely cause of the problem?

A.The NAT overload pool is incorrectly configured with the inside interface Gi0/1 instead of the outside interface Gi0/0.
B.The access-list 1 used in the NAT statement is not matching any traffic.
C.CEF switching is disabled, causing all packets to be punted to the process level and NAT to fail.
D.The maximum number of NAT translations has been reached, causing new translations to be denied.
AnswerA

The dynamic mapping line explicitly shows 'interface GigabitEthernet0/1', which is an inside interface according to the output. Overload must be tied to the outside interface.

Why this answer

The Dynamic mappings section reveals an inside source overload entry bound to interface GigabitEthernet0/1, which is listed under Inside interfaces. For PAT to work, the overload rule must use an outside (WAN) interface (here GigabitEthernet0/0), not an inside interface. This misconfiguration causes all translation attempts to fail, reflected in Hits: 0 and Misses: 15042.

Exam trap

Many candidates will suspect a misconfigured access list because Hits are 0 and Misses are high; however, the exhibit directly indicates the wrong interface binding in the dynamic mapping.

Why the other options are wrong

B

Candidates may focus on Hits: 0 and Misses: 15042 as typical of an ACL issue, but the explicit interface binding in the dynamic mapping is the direct evidence of misconfiguration.

C

The high CEF Punted count mirrors the misses, leading some to believe CEF is the problem, but the exhibit does not indicate CEF is disabled.

D

Candidates might assume that a high miss count reflects a full translation table, but the total active translations show 0.

46
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PAT (Port Address Translation) on a Cisco IOS-XE router and describe the translation process for an outbound packet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First, enter config mode. Then mark the inside and outside interfaces. Create a pool of global addresses.

Finally, enable PAT with overload to allow multiple inside hosts to share the pool addresses.

Exam trap

Candidates often confuse the order of steps, especially thinking that creating the pool or marking interfaces can be done before entering global configuration mode. Remember: you must always be in global configuration mode before issuing any configuration commands. Also, the global address pool must be created before it can be referenced in the ip nat inside source list overload command.

47
PBQhard

You are connected to R1. The inside network 192.168.1.0/24 must be able to access the internet using PAT (NAT overload) with the outside interface G0/1 IP 203.0.113.1. Additionally, the internal server at 192.168.1.10 must be reachable from the internet via static NAT to 203.0.113.10. The current configuration is incomplete and contains errors. Identify and fix all issues so that both PAT and static NAT work correctly.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.1/24LANinsideR1outsideInternet

Hints

  • Check which interfaces are marked as inside/outside — they may be reversed.
  • Look at the ACL used for dynamic NAT — does it match the correct inside subnet?
  • Is the 'overload' keyword present on the ip nat inside source command?
A.Swap ip nat inside/outside on interfaces, add 'overload' to the dynamic NAT rule, and correct ACL 1 to permit 192.168.1.0/24.
B.Change the static NAT inside address to 192.168.1.1 and add 'overload' to the dynamic NAT rule.
C.Remove the static NAT configuration and rely solely on PAT for the server.
D.Add the 'overload' keyword to the dynamic NAT rule and correct ACL 1 to permit 192.168.1.0/24.
AnswerA
solution
! R1
interface GigabitEthernet0/0
ip nat inside
exit
interface GigabitEthernet0/1
ip nat outside
exit
no ip nat inside source list 1 pool GLOBAL
ip nat inside source list 1 pool GLOBAL overload
no access-list 1
access-list 1 permit 192.168.1.0 0.0.0.255

Why this answer

The configuration had multiple faults: 1) Inside/outside interfaces were swapped – G0/0 (LAN) should be inside, G0/1 (WAN) should be outside. 2) The PAT command was missing the 'overload' keyword. 3) ACL 1 permitted the wrong subnet (192.168.2.0/24 instead of 192.168.1.0/24). 4) The static NAT configuration was correct, but the interface misconfiguration prevented it from working. Fixes: swap ip nat inside/outside on the interfaces, add 'overload' to the dynamic NAT rule, and correct ACL 1 to permit 192.168.1.0/24.

Exam trap

This question tests your ability to identify multiple simultaneous NAT configuration errors. Common traps include forgetting the 'overload' keyword, misconfiguring ACLs, and swapping inside/outside interfaces. Always verify interface NAT directions first, as they are foundational.

Why the other options are wrong

B

The specific factual error is that the static NAT inside address is already correct; altering it is unnecessary and incorrect.

C

The specific factual error is that static NAT is required for inbound access; PAT alone cannot provide a fixed public-to-private mapping.

D

The specific factual error is that interface NAT direction is fundamental; if inside/outside are reversed, NAT translations will not be applied correctly.

48
MCQhard

A router is configured with PAT for inside users. Which symptom most strongly suggests the NAT inside/outside roles are reversed on the interfaces?

A.Outbound traffic still shows private inside source addresses where translated public addresses should appear.
B.The NAT translation table is empty even though internal users are browsing the internet.
C.Internal hosts cannot reach the internet at all.
D.External hosts can connect to internal servers using their private IP addresses.
AnswerA

This is correct because reversed inside/outside roles break the normal PAT translation direction.

Why this answer

When NAT inside/outside roles are reversed, the router applies translation logic in the wrong direction, causing traffic from the inside network to leave the outside interface with untranslated private source addresses. The correct answer (A) directly demonstrates this failure: outbound traffic still shows private IPs where a public address should appear after PAT. The other options describe symptoms that could occur with other NAT misconfigurations but do not strongly indicate reversed roles: an empty translation table (B) suggests no NAT processing at all, possibly due to missing ACL or overload configuration; total lack of internet access (C) may result from many connectivity issues, not specifically reversed interface roles; and external hosts reaching internal servers by private IP (D) points more to a missing or incorrect static NAT rule rather than direction reversal.

Exam trap

A common exam trap is assuming that NAT translation problems are caused by ACL or overload command errors, while overlooking the inside/outside interface roles. Candidates may see private IP addresses in outbound traffic and mistakenly focus on ACL syntax or NAT pool definitions. However, the root cause is often reversed interface roles, which prevent the router from applying PAT correctly.

This trap leads to wasted time troubleshooting unrelated configurations and missing the fundamental NAT directionality requirement.

Why the other options are wrong

B

An empty NAT table indicates no translation is happening at all, which is not the expected outcome of simply reversing inside/outside roles—NAT still processes packets but incorrectly.

C

Complete internet unreachability is a generic connectivity symptom that could be caused by routing, firewall, or other NAT issues, but does not strongly signal a role reversal.

D

External hosts connecting to a private IP without translation is a typical sign of a missing static NAT or PAT rule, not of reversed interface direction assignments.

49
PBQmedium

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to a WAN link to the ISP. GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN with hosts needing Internet access. The ISP has allocated public IP pool 203.0.113.16/28 (203.0.113.17-203.0.113.30). The internal LAN should use NAT overload (PAT) to translate all internal traffic to the public IP 203.0.113.18. The router currently has no NAT configuration. Configure NAT overload on R1 to allow internal hosts to access the Internet.

Network Topology
G0/1192.168.1.1/24G0/010.0.0.1/30Internal HostsLANR1WANISP

Hints

  • Think about which interfaces are inside and outside the NAT domain.
  • The overload keyword enables PAT.
  • Use an ACL to define which internal addresses are eligible for translation.
A.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/0 overload interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside
B.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/1 overload interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside
C.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 pool ISP_POOL overload ip nat pool ISP_POOL 203.0.113.18 203.0.113.18 netmask 255.255.255.240 interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside
D.access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/0 interface GigabitEthernet0/1 ip nat inside interface GigabitEthernet0/0 ip nat outside
AnswerC
solution
! R1
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/0 overload
interface GigabitEthernet0/1
ip nat inside
interface GigabitEthernet0/0
ip nat outside

Why this answer

The requirement is to translate all internal traffic to the specific public IP 203.0.113.18, not the physical interface's address. Option C achieves this with a NAT pool containing that IP and the overload keyword, enabling PAT. Option A translates to the interface's IP (10.0.0.1), contradicting the requirement.

Option B references the wrong interface in the translation command and lacks overload, while Option D omits the overload keyword entirely, providing only one-to-one NAT.

Exam trap

A common pitfall is assuming the outside interface's IP satisfies a translation requirement when a specific public IP from a pool is explicitly mandated.

Why the other options are wrong

A

Uses the outside interface IP (10.0.0.1) instead of the required 203.0.113.18.

B

The translation command uses the inside interface, which would not provide the correct source address for outbound traffic.

D

Missing the 'overload' keyword, so only one-to-one NAT occurs, preventing multiple hosts from sharing the IP.

50
PBQhard

You are connected to R1. The network uses private IP 10.10.10.0/24 on the inside and must reach the Internet via the outside interface G0/1 with public IP 203.0.113.1/29. Configure PAT (NAT overload) so that inside hosts can access the Internet, and also configure a static NAT for the internal server 10.10.10.100 to public IP 203.0.113.2. The current configuration has errors: the inside and outside interfaces are swapped, the ACL is incorrectly defined, and the overload keyword is missing. Fix all issues.

Network Topology
G0/0 inside10.10.10.1/2410.10.10.0/24G0/1 outside203.0.113.1/29Inside hostsswitchR1Internet

Hints

  • Check which interface is marked inside and which is outside — the private IP network should be inside.
  • The ACL must match the actual inside subnet, not a different network.
  • PAT requires the 'overload' keyword on the ip nat inside source command.
A.On G0/0: ip nat inside; on G0/1: ip nat outside; ACL 10 permit 10.10.10.0 0.0.0.255; ip nat inside source list 10 interface GigabitEthernet0/1 overload
B.On G0/0: ip nat outside; on G0/1: ip nat inside; ACL 10 permit 10.10.10.0 0.0.0.255; ip nat inside source list 10 interface GigabitEthernet0/1 overload
C.On G0/0: ip nat inside; on G0/1: ip nat outside; ACL 10 permit 192.168.1.0 0.0.0.255; ip nat inside source list 10 interface GigabitEthernet0/1 overload
D.On G0/0: ip nat inside; on G0/1: ip nat outside; ACL 10 permit 10.10.10.0 0.0.0.255; ip nat inside source list 10 interface GigabitEthernet0/1
AnswerA
solution
! R1
interface GigabitEthernet0/0
no ip nat outside
ip nat inside
exit
interface GigabitEthernet0/1
no ip nat inside
ip nat outside
exit
no access-list 10
access-list 10 permit 10.10.10.0 0.0.0.255
ip nat inside source list 10 interface GigabitEthernet0/1 overload

Why this answer

The configuration had three faults: (1) The inside interface (G0/0 with private IP) was marked 'ip nat outside', and the outside interface (G0/1 with public IP) was marked 'ip nat inside' — these must be swapped. (2) The ACL 10 permitted 192.168.1.0/24 instead of the actual inside subnet 10.10.10.0/24. (3) The NAT command 'ip nat inside source list 10 interface GigabitEthernet0/1' was missing the 'overload' keyword, which is required for PAT. The static NAT was correctly defined. After fixing all three, inside hosts will be able to access the Internet using PAT.

Exam trap

Watch out for three common NAT configuration mistakes: swapping inside/outside interface designations, using an ACL that does not match the actual inside network, and forgetting the 'overload' keyword for PAT. Always verify the interface IP addresses and the ACL permit statement.

Why the other options are wrong

B

The specific factual error is that the 'ip nat inside' and 'ip nat outside' commands are applied to the wrong interfaces. The inside interface must be the one facing the internal network, and the outside interface must be the one facing the external network.

C

The specific factual error is that the ACL does not match the correct inside network. The ACL in the NAT configuration must permit the exact private IP range used on the inside network.

D

The specific factual error is the omission of the 'overload' keyword. PAT (overload) is required to allow multiple inside hosts to share a single public IP address by using different source ports.

51
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure dynamic NAT with overload (PAT) using a pool of public IP addresses.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The NAT pool must be defined first because it is referenced by the overload rule. Next, the access list identifies the inside local addresses that will be translated. The inside and outside interfaces are then labeled with 'ip nat inside' and 'ip nat outside' respectively, enabling NAT on those interfaces.

Finally, the overload rule is applied, linking the ACL and the pool on the specified interfaces to complete the configuration.

52
Multi-Selectmedium

A branch office uses PAT overload on the edge router. Inside users can reach the internet, but return traffic for a newly deployed server must be mapped to a specific inside host. Which two statements are correct?

Select 2 answers
A.A static NAT entry can provide a consistent public-to-private mapping for the server
B.PAT overload is designed mainly for many-to-one outbound address sharing
C.Dynamic NAT always supports inbound access without additional configuration
D.NAT is unrelated to whether private addresses can reach the public internet
AnswersA, B

Static NAT is appropriate when inbound connections must always reach the same inside host.

Why this answer

PAT overload is great for many inside clients sharing a public IP for outbound sessions. A public-facing server that needs predictable inbound reachability typically requires static NAT or static PAT.

Exam trap

A frequent exam trap is assuming that PAT overload can handle inbound connections to a specific inside host because it manages many-to-one address sharing. However, PAT overload dynamically assigns ports for outbound sessions and does not reserve a fixed public IP and port combination for inbound traffic. This misconception leads to incorrect answers suggesting dynamic NAT or PAT overload can support inbound server access without additional configuration.

The key is recognizing that only static NAT provides a consistent public-to-private mapping necessary for inbound connectivity to a server.

Why the other options are wrong

C

Option C is incorrect because dynamic NAT does not guarantee a fixed public IP address for any inside host, so it cannot reliably support inbound access without additional static configuration.

D

Option D is incorrect because NAT and PAT are directly related to enabling private IP addresses to communicate with the public internet, making them central to edge router configurations in branch offices.

53
MCQmedium

Refer to the exhibit. Users on the inside network can browse the web, but return traffic is failing for some sessions. A partial configuration shows: interface GigabitEthernet0/0 ip address 192.168.10.1 255.255.255.0 ip nat outside ! interface GigabitEthernet0/1 ip address 203.0.113.10 255.255.255.0 ip nat inside ! ip nat inside source list 1 interface GigabitEthernet0/1 overload access-list 1 permit 192.168.10.0 0.0.0.255 Based on this configuration, which change is required to make PAT work correctly?

A.Apply ip nat enable on both interfaces.
B.Replace overload with pool.
C.Swap the inside and outside NAT roles on the two interfaces.
D.Change access-list 1 to a standard ACL numbered 100.
AnswerC

This is correct because NAT depends on the router knowing which side is private and which side is public. The current configuration labels them the wrong way round. PAT with overload on the WAN interface is fine, but the interface roles must match the traffic direction.

Why this answer

The problem is that the router has the NAT directions backwards. In simple terms, the interface facing the private LAN should be marked as inside, and the interface facing the public or WAN side should be marked as outside. Here, GigabitEthernet0/0 uses the private address 192.168.10.1, but it is configured as outside. GigabitEthernet0/1 uses the public address 203.0.113.10, but it is configured as inside. That reverses the translation logic and breaks normal PAT behavior.

Technically, the command `ip nat inside source list 1 interface GigabitEthernet0/1 overload` is otherwise reasonable for dynamic PAT using the WAN interface address. The ACL also correctly identifies the inside local subnet. The essential fix is to mark G0/0 as `ip nat inside` and G0/1 as `ip nat outside`. Once the directions are corrected, PAT can create and track translations properly for outbound traffic and returning sessions.

Exam trap

A frequent exam trap is confusing the NAT inside and outside interface roles. Candidates may see the private IP on an interface and mistakenly assign it as 'ip nat outside' or vice versa. This reverses the translation direction, causing return traffic to fail despite correct ACLs and overload commands.

The trap exploits the assumption that the public IP must be inside or that the interface with the ACL is always inside. Understanding that NAT roles depend on network topology, not just IP addresses, is crucial to avoid this error.

Why the other options are wrong

A

Applying 'ip nat enable' on both interfaces is incorrect because Cisco IOS uses 'ip nat inside' and 'ip nat outside' to define NAT roles. The problem is not enabling NAT but assigning the correct directional roles to interfaces.

B

Replacing 'overload' with a pool is unnecessary since PAT uses 'overload' to allow multiple inside hosts to share one outside IP. The issue is not the translation method but the reversed inside/outside interface roles.

D

Changing access-list 1 to a standard ACL numbered 100 does not address the core problem. ACL 1 is valid for identifying inside local addresses, and the failure is due to reversed NAT interface roles, not the ACL number.

54
Drag & Dropmedium

Drag and drop the following steps into the correct order to configure PAT (Port Address Translation) on a Cisco IOS-XE router for outbound traffic from a private network to the Internet.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

PAT configuration requires first entering global config, defining the traffic with an ACL, specifying the outside interface, then applying the NAT overload command referencing the ACL and outside interface.

Exam trap

The exam trap here is that candidates often confuse the order of steps, especially when the ACL and interface are both referenced in the NAT command. Remember that you must define the ACL and configure the interface with 'ip nat outside' before applying the NAT overload command.

55
MCQhard

A network administrator is troubleshooting an issue where hosts in the 192.168.20.0/24 subnet cannot reach the Internet, while hosts in 192.168.10.0/24 can. The router is configured for PAT overload using a dynamic pool on the outside interface. The administrator collects the configuration shown in the exhibit. What is the most likely cause of the connectivity problem for the 192.168.20.0/24 subnet?

A.The wildcard mask in access list 20 is incorrect; it matches only the network address.
B.The NAT pool does not have enough IP addresses to support both subnets.
C.Interface GigabitEthernet0/2 is missing the ip nat inside command.
D.Access list 10 is incorrectly applied to the NAT pool, causing a conflict.
AnswerA

Access list 20 uses mask 0.0.0.0, which matches only the single address 192.168.20.0. To encompass the entire 192.168.20.0/24 subnet, the mask must be 0.0.0.255.

Why this answer

The issue is that access list 20, used to define which internal addresses are eligible for NAT, has a wildcard mask of 0.0.0.0. This wildcard mask matches only the exact address 192.168.20.0, not the entire 192.168.20.0/24 subnet. For a /24 subnet, the correct wildcard mask should be 0.0.0.255, which would match all addresses from 192.168.20.1 to 192.168.20.254.

Because the ACL matches only the network address (192.168.20.0), no host traffic from that subnet is translated, breaking Internet connectivity.

Exam trap

Cisco often tests the distinction between matching the network address versus matching the host range in ACLs used for NAT, where candidates incorrectly assume that using the network address with a wildcard mask of 0.0.0.0 will match all hosts in the subnet.

Why the other options are wrong

B

NAT pool size is not a limiting factor with PAT overload; a single address can serve thousands of hosts.

C

The interface is correctly configured for NAT inside.

D

Applying multiple access lists to the same pool is allowed and does not create a conflict.

56
PBQmedium

You are connected to R1 via the console. R1's GigabitEthernet0/0 (10.0.0.1/30) connects to ISP router, and GigabitEthernet0/1 (192.168.1.1/24) connects to the internal LAN. The internal network uses 192.168.1.0/24 and needs to access the internet. Configure NAT overload on R1 so that internal hosts are translated to the IP address of GigabitEthernet0/0 when accessing the internet.

Network Topology
G0/010.0.0.1/30G0/1192.168.1.1/24InternetISPR1LANPCs

Hints

  • Define inside and outside interfaces separately.
  • Use the ACL to identify which traffic to translate.
  • The overload keyword enables PAT.
A.R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255 R1(config)# ip nat inside source list 1 interface GigabitEthernet0/0 overload R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip nat outside R1(config-if)# interface GigabitEthernet0/1 R1(config-if)# ip nat inside
B.R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255 R1(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip nat outside R1(config-if)# interface GigabitEthernet0/1 R1(config-if)# ip nat inside
C.R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255 R1(config)# ip nat inside source list 1 interface GigabitEthernet0/0 R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip nat outside R1(config-if)# interface GigabitEthernet0/1 R1(config-if)# ip nat inside
D.R1(config)# access-list 1 permit any R1(config)# ip nat inside source list 1 interface GigabitEthernet0/0 overload R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip nat outside R1(config-if)# interface GigabitEthernet0/1 R1(config-if)# ip nat inside
AnswerA
solution
! R1
ip nat inside source list 1 interface GigabitEthernet0/0 overload
interface GigabitEthernet0/0
ip nat outside
interface GigabitEthernet0/1
ip nat inside

Why this answer

NAT overload (PAT) allows multiple internal hosts to share a single public IP by using different source ports. The ACL identifies the internal network, and the interfaces are marked as inside/outside. The 'overload' keyword enables port address translation.

Option B fails because it translates to the wrong interface (GigabitEthernet0/1) instead of the public-facing interface (GigabitEthernet0/0). Option C is missing the required 'overload' keyword, so it performs dynamic NAT without PAT, which is insufficient for multiple hosts. Option D uses an overly broad ACL ('permit any') that does not match only the internal network (192.168.1.0/24) as required by the stem.

Exam trap

The most common traps are: (1) confusing inside and outside interfaces when specifying the NAT source, (2) forgetting the 'overload' keyword for PAT, and (3) using an overly permissive ACL like 'permit any' instead of restricting to the internal network. Always verify interface roles and the ACL scope.

Why the other options are wrong

B

The 'ip nat inside source list' command must specify the outside interface (the one with the public IP) for translation, not the inside interface.

C

NAT overload (PAT) requires the 'overload' keyword to enable port address translation. Without it, the router performs dynamic NAT, which is insufficient for sharing a single public IP among many hosts.

D

The ACL should match only the internal network that requires translation. Using 'permit any' would translate all traffic, including traffic that should not be translated, potentially breaking connectivity or causing security risks.

57
PBQhard

You are connected to R1. The inside network 192.168.10.0/24 must be able to reach the Internet via PAT (NAT overload) using the outside interface G0/1 with IP 203.0.113.2/30. Additionally, the internal server at 192.168.10.100 must be statically mapped to public IP 203.0.113.10. The current configuration is incomplete and contains errors. Fix the NAT configuration on R1 so that both requirements are met.

Hints

  • Check the NAT direction on the outside interface.
  • The overload keyword is missing from the PAT command.
  • The ACL must match the entire inside subnet, not just one host.
A.ip access-list standard 100 permit 192.168.10.0 0.0.0.255 ip nat inside source list 100 interface GigabitEthernet0/1 overload ip nat inside source static 192.168.10.100 203.0.113.10 interface GigabitEthernet0/1 ip nat outside
B.ip access-list standard 100 permit host 192.168.10.100 ip nat inside source list 100 interface GigabitEthernet0/1 overload ip nat inside source static 192.168.10.100 203.0.113.10 interface GigabitEthernet0/1 ip nat outside
C.ip access-list standard 100 permit 192.168.10.0 0.0.0.255 ip nat inside source list 100 interface GigabitEthernet0/1 ip nat inside source static 192.168.10.100 203.0.113.10 interface GigabitEthernet0/1 ip nat outside
D.ip access-list standard 100 permit 192.168.10.0 0.0.0.255 ip nat inside source list 100 interface GigabitEthernet0/1 overload ip nat inside source static 192.168.10.100 203.0.113.10 interface GigabitEthernet0/1 ip nat inside
AnswerA
solution
! R1
configure terminal
interface gigabitEthernet0/1
no ip nat inside
ip nat outside
exit
ip nat inside source list 100 interface gigabitEthernet0/1 overload
no access-list 100
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
end

Why this answer

The correct configuration is a standard ACL matching the entire 192.168.10.0/24 subnet, a PAT statement with the overload keyword, and the outside interface correctly configured as ip nat outside. Option A achieves all three. Option B fails because its ACL only matches the server host, so only 192.168.10.100 can use the PAT translation.

Option C omits the overload keyword, meaning only one inside host can translate at a time – PAT is not enabled. Option D configures the external interface as ip nat inside instead of outside, blocking translation of outbound traffic.

Exam trap

Watch out for three common traps: (1) forgetting the overload keyword when PAT is needed; (2) using an ACL that only matches the server instead of the whole subnet; (3) confusing inside and outside interface configuration. Always verify the ACL scope and the presence of overload for PAT.

Why the other options are wrong

B

The ACL must match the entire inside network (192.168.10.0/24), not just the server IP.

C

The overload keyword is required to enable PAT (port address translation) for sharing a single public IP among multiple inside hosts.

D

The interface facing the internet must be configured as ip nat outside; inside interfaces are those facing the internal network.

58
MCQhard

Exhibit: Hosts on the inside network can reach the internet, but inbound connections to a published web server fail. Static NAT is configured. What is the most likely missing piece?

A.A default route on the inside host
B.An ACL permit entry allowing TCP port 80 or 443 to the translated address
C.PAT overload on the outside interface
D.DHCP relay toward the web server
AnswerB

NAT alone does not override an inbound filtering policy.

Why this answer

Static NAT provides the address translation, but traffic still must be permitted by an inbound ACL or firewall policy on the outside interface. Option A is incorrect because a default route on the inside host affects outbound traffic, not inbound connections. Option C is wrong since PAT overload is for many-to-one translation and is not required here, and it would not block inbound traffic if static NAT is already configured.

Option D is incorrect because DHCP relay does not influence inbound access to a web server; it only forwards DHCP requests from clients to a remote DHCP server.

Exam trap

Many candidates assume that static NAT alone guarantees inbound access, forgetting that an inbound ACL on the outside interface must explicitly permit the traffic.

Why the other options are wrong

A

A default route on the inside host controls outbound traffic, not inbound connections from the internet.

C

PAT overload is used for many-to-one translation and would not block inbound traffic if static NAT is already configured.

D

DHCP relay forwards DHCP requests to a remote server and does not affect inbound HTTP/HTTPS access to a web server.

59
MCQhard

A company wants an internal web server to be reachable consistently from the Internet using one known public IPv4 address. Which NAT approach best fits that requirement?

A.Static NAT
B.PAT overload
C.No NAT, because private IPv4 addresses are publicly routable
D.DHCP relay
AnswerA

This is correct because static NAT gives the server a permanent public mapping.

Why this answer

Static NAT is the best fit because it creates a fixed one-to-one relationship between the inside server and the public address. In practical terms, outside clients need a stable public identity for the server. They cannot rely on a translated address that changes session by session. Static NAT gives that predictability.

This is different from PAT, which is designed for many inside users sharing fewer public addresses for outbound traffic. The question is about publishing a server, not conserving addresses for client browsing. That is why static NAT is the strongest answer.

Exam trap

A frequent exam trap is selecting PAT overload as the solution for making an internal server reachable from the Internet. PAT is primarily designed for outbound traffic from multiple internal hosts sharing a single public IP, not for inbound access to a specific server. Another trap is thinking private IPv4 addresses are publicly routable, which they are not, so no NAT would fail to provide Internet reachability.

Also, confusing DHCP relay with NAT functions can mislead candidates, as DHCP relay only forwards DHCP messages and does not affect public IP mappings or server accessibility from the Internet.

Why the other options are wrong

B

PAT overload is incorrect because it is designed for many internal hosts sharing a single public IP for outbound traffic, not for providing a fixed public IP for inbound server access.

C

No NAT is incorrect since private IPv4 addresses are not routable on the public Internet; without NAT, the internal server cannot be reached from outside the private network.

D

DHCP relay is unrelated to NAT or public reachability; it only forwards DHCP requests across subnets and does not provide any public IP mapping for internal servers.

60
MCQhard

Which NAT design is most appropriate when many inside users need outbound Internet access through one public IPv4 address, but no inbound server publishing is required?

A.PAT overload
B.Static NAT for every host
C.No NAT, because private IPv4 addresses are Internet-routable
D.DHCP relay
AnswerA

This is correct because PAT allows many inside sessions to share one public address by using ports.

Why this answer

The most appropriate design is PAT overload. In practical terms, many internal users can share one public IPv4 address because PAT distinguishes their sessions using transport-layer ports. This is the most common solution when the requirement is outbound access for many clients rather than predictable inbound access to a specific internal server.

Static NAT would be the wrong design here because it creates fixed one-to-one mappings and consumes more public address space than needed for this use case. PAT is specifically built for many-to-one outbound translation.

Exam trap

A frequent exam trap is selecting static NAT or no NAT for outbound Internet access when many internal users share one public IP. Static NAT creates one-to-one mappings, consuming excessive public IP addresses unnecessarily. Choosing no NAT assumes private IPv4 addresses are routable on the Internet, which is false.

Another trap is confusing DHCP relay with NAT; DHCP relay only forwards DHCP messages and does not perform address translation. Candidates must recognize that PAT overload is the correct design for many-to-one outbound translation without inbound server publishing, avoiding these common misconceptions.

Why the other options are wrong

B

Static NAT for every host is incorrect because it requires a unique public IP address per internal host, which is inefficient and unnecessary when only outbound access is needed without inbound server publishing.

C

No NAT is incorrect because private IPv4 addresses are not routable on the public Internet and must be translated to public addresses to communicate externally.

D

DHCP relay is incorrect because it only forwards DHCP messages between clients and servers and does not perform any IP address translation or NAT functions.

61
MCQhard

A network engineer notices that internal hosts (192.168.1.0/24) can reach external servers on the internet, but replies from external servers never reach the internal hosts. The router R1 is configured with dynamic NAT to translate the internal subnet to a pool of public IPs (203.0.113.10-203.0.113.20). The engineer runs 'show ip nat translations' and sees only a few stale translations. What is the most likely cause of the issue?

A.The access list 'NAT' is incorrect; it should permit only specific hosts, not the entire subnet.
B.The outside interface (GigabitEthernet0/0) is missing the 'ip nat outside' command.
C.The NAT configuration lacks the 'overload' keyword, so the pool is exhausted quickly.
D.The NAT pool 'POOL' has too few addresses; it should be expanded to a /24 subnet.
AnswerB

Without 'ip nat outside' on the outside interface, the router does not translate return packets from the outside to the inside. Adding this command enables NAT to work bidirectionally.

Why this answer

The correct answer is B because the 'ip nat outside' command must be applied to the interface facing the external network (GigabitEthernet0/0) for the router to translate return traffic. Without it, the router does not perform NAT on packets arriving on that interface, so replies from external servers are forwarded without translation back to the inside local IPs, which are not routable on the internet. The stale translations indicate that outbound translations were created but never used for return traffic, confirming the missing outside interface command.

Exam trap

Cisco often tests the requirement that both 'ip nat inside' and 'ip nat outside' must be configured on the respective interfaces for NAT to work bidirectionally, and the trap here is that candidates assume only the inside interface needs the command or confuse the symptom with pool exhaustion or ACL issues.

Why the other options are wrong

A

The access list correctly matches the internal subnet, so this is not the root cause.

C

Even without overload, dynamic NAT should work for the first 11 hosts; the problem is that return packets are not being translated.

D

The pool size is not the issue; the router is not translating return traffic due to missing 'ip nat outside'.

62
MCQhard

A network administrator configures PAT on a router to allow internal hosts in the 10.10.10.0/24 subnet to access the Internet. Afterward, users report that they can ping public IP addresses but cannot access any websites. The administrator verifies that the access list for NAT matches the correct subnet, and the 'ip nat inside source list 1 interface GigabitEthernet0/1 overload' command is applied. What is the most likely cause of this issue?

A.The router's DNS proxy is misconfigured, preventing resolution of website names.
B.The PAT translation table is full, causing new TCP connection requests to be dropped.
C.The 'overload' keyword was omitted, causing the router to use dynamic NAT with a single-address pool.
D.A static NAT entry for a web server is using the same public IP address as the PAT overload.
AnswerB

PAT uses source port translation to map many internal addresses to a single public IP. ICMP (ping) does not consume a port mapping and can still be translated even when the table is exhausted. New TCP connections, required for web traffic, will fail when no free source port is available.

Why this answer

The ability to ping public IP addresses confirms that IP routing and PAT translation are working for ICMP traffic. However, the failure to access websites (HTTP/HTTPS) while ping succeeds indicates that the PAT translation table is likely exhausted, preventing the router from creating new translations for TCP connections. The 'overload' keyword is correctly configured, so the issue is not a missing keyword but rather resource exhaustion in the NAT table.

Exam trap

Cisco often tests the distinction between ICMP and TCP behavior under PAT exhaustion—candidates assume that if ping works, all IP connectivity is fine, but the trap is that PAT table exhaustion selectively drops new TCP sessions while allowing existing or low-volume ICMP traffic.

Why the other options are wrong

A

The scenario explicitly mentions successful pings to IP addresses, so name resolution is not the cause.

C

The command output explicitly shows 'overload', and the symptom (ping works, TCP fails) is inconsistent with a missing overload keyword.

D

A static NAT conflict would affect all traffic (including ICMP), not just web traffic.

63
MCQeasy

Which NAT feature allows many inside hosts to share one public IPv4 address by using unique source port numbers?

A.Static NAT
B.PAT
C.NTP authentication
AnswerB

PAT uses port numbers to multiplex many inside devices to one or a few public addresses.

Why this answer

PAT, sometimes called NAT overload, keeps track of connections by using Layer 4 port numbers so many private hosts can share a single public address.

Exam trap

A common exam trap is mistaking Static NAT for PAT. Static NAT creates a fixed one-to-one mapping between inside and outside IP addresses without using port numbers, so it cannot support multiple hosts sharing one public IP. Another trap is confusing unrelated features like NTP authentication or port security with NAT functions.

NTP authentication secures time synchronization and port security restricts MAC addresses on switch ports; neither involves IP address translation or port multiplexing. Candidates who overlook the role of Layer 4 port numbers in PAT may incorrectly select these options, missing the key concept that PAT uniquely identifies sessions by port numbers to allow many hosts to share a single public IPv4 address.

Why the other options are wrong

A

Static NAT provides a fixed one-to-one mapping between private and public IP addresses. It does not use port numbers to allow multiple inside hosts to share a single public IP, so it cannot fulfill the requirement of the question.

C

NTP authentication secures Network Time Protocol messages and is unrelated to address translation or NAT. It does not allow multiple hosts to share a public IP address.

D

Port security controls which MAC addresses can access a switch port to enhance Layer 2 security. It does not perform IP address translation or use port numbers to share public IP addresses.

64
Matchingmedium

Match each NAT term to its most accurate description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Private address used by the host on the internal network

Address that represents the internal host to outside networks

Fixed one-to-one translation

Many-to-one translation using ports

Why these pairings

NAT terms describe address perspectives: Inside Local is the internal host's IP, Inside Global is its external IP, Outside Local is the external host's IP seen internally, Outside Global is its actual external IP, Static NAT provides permanent mapping, and Dynamic NAT uses a pool.

Exam trap

The exam trap is confusing the perspective (inside vs. outside) and the location (local vs. global). Remember: 'Local' is the address as seen from the inside network, 'Global' is the address as seen from the outside network.

65
MCQhard

A company wants internal users to share one public IPv4 address for outbound Internet access, while keeping sessions separate. Which NAT approach best meets that requirement?

A.PAT overload
B.Static NAT only
C.No NAT, because private IPv4 addresses are Internet-routable
D.DHCP relay
AnswerA

This is correct because PAT uses port values to let many internal sessions share one public IPv4 address.

Why this answer

PAT is the correct approach because it allows many internal sessions to share one outside IPv4 address while distinguishing them by port numbers. In plain language, PAT gives the office an efficient many-to-one translation model that works well for ordinary user Internet access when public addresses are limited.

This is different from static NAT, which gives a fixed one-to-one mapping, and from dynamic NAT pools that usually rely on multiple public addresses. The correct answer is the translation method designed specifically for shared public-address use across many sessions.

Exam trap

A common exam trap is selecting static NAT as the solution because it involves address translation, but static NAT only supports one-to-one mappings and cannot handle multiple internal users sharing a single public IP address. Another frequent mistake is assuming private IPv4 addresses can be routed on the Internet without NAT, which is incorrect because private addresses are non-routable externally. Additionally, confusing DHCP relay with NAT functions can mislead candidates, as DHCP relay only forwards DHCP messages and does not perform address translation.

Recognizing that PAT overload uniquely enables many-to-one translation with port differentiation is crucial to avoid these pitfalls.

Why the other options are wrong

B

Static NAT only provides a one-to-one mapping between private and public IP addresses, so it cannot support multiple internal users sharing one public IP address simultaneously, making it unsuitable for the scenario.

C

No NAT is incorrect because private IPv4 addresses are not routable on the public Internet; without NAT, internal users cannot access external resources using private IPs alone.

D

DHCP relay is unrelated to NAT or IP address translation; it simply forwards DHCP requests between clients and servers and does not enable sharing of public IP addresses for Internet access.

Ready to test yourself?

Try a timed practice session using only NAT questions.